October 26, 2008 // 6:36 pm
- Many users live with boot problems or re-install Windows and start again, but there is a better way. If you learn what happens during the boot process then you'll be able to diagnose and fix any issues that might arise.
The boot starts with your PC's BIOS, which grabs its settings from CMOS RAM before initialising your video adaptor and any expansion cards. A Power On Self Test does basic hardware checks, tests your RAM if required and usually delivers a single beep to indicate that everything is working.
If there's a problem at this point then the BIOS will display an error message or issue a number of beeps; check your motherboard manual to figure out what they might mean. If it's accessible, launch your BIOS setup program to confirm that no settings have been changed. If they have, this could mean that your motherboard's CMOS battery has failed, in which case you'll need a replacement.
If you've installed an expansion card recently, try it in a different slot. Other new devices should be removed altogether to see if they are causing a problem. You can also check the support section of your motherboard or your PC manufacturer's site for more advice.
These hardware problems are relatively uncommon, though. It's likely that this first boot stage will be completed without incident and your PC will move smoothly into stage two, which is hard drive access.
Master Boot Record
The BIOS now attempts to load the first sector of the first drive specified in your boot order list (you'll find this in the BIOS settings). If there's nothing bootable in that device, the BIOS will work down the list until it encounters a hard drive.
The first sector of a hard drive normally contains the Volume Boot Record or Master Boot Record (MBR), a structure that includes a tiny program to launch the boot process and details of how your hard drive is partitioned. The last two bytes of the sector now have a standard signature, which is '0x55AA' (see www.multibooters.co.uk/mbr.html
), so the BIOS checks for this to confirm that the drive is bootable. If those bytes aren't present, it'll skip this device and carry on down the boot order list, displaying an error message like 'Operating system not found' if it can't find anything to boot.
If the signature is found, though, your BIOS will launch the MBR program. This scans each of your partitions, checking their boot indicator bytes. If these are all set to zero (not bootable), you'll see an 'Operating system not found' error message. If they're anything other than zero or 0x80, you'll see an 'Invalid partition table' message. However, if it finds just one with a value of 0x80 (meaning bootable), then the MBR program will load the first sector in that partition, the Volume Boot Sector.
If the Volume Boot Sector can't be read, the MBR program will say there's an 'Error loading the operating system'. If it can be read but doesn't have the 0x55AA signature, then it'll warn you that you have a 'Missing operating system'. However, if both tests are passed then the program contained in the Volume Boot Sector will launch, and this leads to launching Windows itself.
Boot problems might arise at this stage if your PC is trying to start from the wrong device. Launch your BIOS setup program, look for the boot order list and change it so that your hard drive (or preferred boot device) comes first. This will also give the boot process a small speed boost.
It's more likely that one of the boot structures on your hard drive has become corrupted, though, and Windows Vista can usually fix this automatically. Boot from your Windows installation disc, then work your way through the wizard, clicking the 'Repair Your Computer' option when you see it. Choose the operating system to repair, click 'Next', and select 'Startup Repair' to fix the problem. Alternatively, use the tool 'bootrec.exe' to do it for yourself (see www.support.microsoft.com/kb/927392
XP users have more manual work to do. You'll need to boot from your Windows installation disc, launch the Recovery Console and try the 'FIXMBR' or 'FIXBOOT' commands to fix the Master Boot Record or Boot Sector. However, FIXBOOT is risky if you've got more than one partition, as it may overwrite the current partition table.
The free tool Parted Magic (www.partedmagic.com) may be useful here, as it creates a bootable CD that can fix the MBR and Boot Sector, repair a broken partition table, recover a deleted partition and more. Just be careful. This is a very low-level tool: make a mistake and you could create more issues than you solve.
The Windows XP Volume Boot Sector starts by launching the program 'NTLDR'. You'll see an error if this is missing, but otherwise NTLDR will start and check the root directory for a valid hibernation file ('hiberfil.sys'). If found, NTLDR will restore it to memory so you carry on where you left off.
If you're not waking up a hibernating PC, NTLDR will read the settings held in 'boot.ini' instead, displaying a boot menu when you've got more than one operating system installed. If only XP is installed (or you chose it from the menu), NTLDR will carry on loading Windows.
This process is quite resilient, so if, for example, boot.ini is deleted, the boot can probably continue with default settings (after displaying an error). However, this isn't guaranteed and if NTLDR can't be found then you'll definitely be in trouble. Fortunately there's a very easy way to insure yourself against such problems.
Take a CD, DVD, floppy or spare USB drive, and copy boot.ini, NTLDR and 'Ntdetect.com' across from the root folder of your hard drive. If one of these files becomes corrupted and Windows won't start, boot from this emergency disc instead. Assuming there's no other damage, Windows should start, and you can copy your system files back from the boot device to the hard drive.
If you didn't make any preparations, you can also boot from your Windows CD, launch the Recovery Console and copy NTLDR from the CD to your hard drive (use a command like 'COPY D:i386NTLDR C:', where 'D:' is replaced by the letter for your DVD drive). Or, if a missing boot.ini is the problem, enter the command 'BOOTCFG / REBUILD' to recreate it. (There's more about Recovery Console at www.support.microsoft.com/kb/314058
Under Windows Vista there is no NTLDR, and instead the Volume Boot Sector locates and launches the Vista Boot Manager, 'bootmgr.exe'. This reads your startup settings from their new location, the Boot Configuration Data file (BCD). You'll then see a boot menu if there's more than one operating system installed.
If you only have Vista installed, or have chosen Vista from the menu, then Boot Manager will transfer control to either Windows Resume when you're resuming from hibernation, or the Windows Loader if you're starting from scratch.
The most common problem here is a missing or corrupted BCD, resulting in error messages like 'Windows Boot Configuration Data file is missing'. These errors can usually be fixed by the Startup Repair tool that we discussed earlier, but you can also restore the BCD manually.
Boot from your Windows Vista DVD and work your way to the System Recovery Options dialog as previously. This time, select 'Command Prompt' rather than 'System Repair', then type 'Bootrec / RebuildBcd' and press [Enter]. Type 'Yes' to confirm your Windows installation path and look for a confirmation message telling you that all is well.
Occasionally this will fail if bootrec.exe can't find a Windows installation. You could try removing and recreating the BCD by entering the commands 'Bcdedit /export C:BCD_Backup', 'ren c:bootbcd bcd.old' or 'Bootrec /rebuildbcd'.
If that doesn't work, then rebuild the file manually, see www.support.microsoft.com/kb/927391
When you're not restoring a hibernating PC, Windows uses the BIOS to collect very basic information on your PC buses, hard drives, video adaptors and so on. This is extremely limited, but there's really no alternative because Windows' own, more sophisticated tools can't be run yet. If the BIOS returns incorrect information then this can cause odd problems, but you can check its report for yourself by browsing the Registry at HKLMHardwareDescription.
NTLDR (or 'winload.exe') then loads core files like the Windows kernel ('Windowssystem32ntoskrnl.exe') and Hardware Abstraction Layer ('Windowssystem32hal.dll').
Next to be loaded is the System section of the Registry (Windowssystem32confi gsystem). Windows then reads all the drivers listed under HKLMSystemCurrentControl SetServices, loading anything with a Start value of 0. This marks them as boot drivers that deliver such a core service that they must be loaded before anything else.
In fact, they're loaded even in Safe Mode, so buggy third-party boot drivers can stop your PC starting altogether. To view the boot drivers on your system, run 'msinfo32.exe', click 'Software Environment | System Drivers' and the 'Start Mode' column header, then scroll down, looking for everything with a Start Mode of 'boot'.
Everything loaded is checked against a security catalogue that holds the digital signatures for the original files ('WindowsSystem32catrootnt5.cat'). That's good for security, but a problem if the catalogue becomes corrupted, as the boot stops if the signatures don't match. NTLDR/winload.exe's final task is to launch the Windows kernel. This really gets things moving by initialising your processors, then its memory manager, Plug and Play manager, process manager and just about every other core service it provides.
There should also be a visual indicator of progress about now, as the kernel loads the boot video driver. This isn't your actual video driver: it's just a generic Windows file that knows just enough to display simple images and progress information.
The kernel carries on initialising various low-level structures until it reaches one of the most important stages so far: the I/O Manager starts up Plug and Play (PnP) and begins the process of loading your remaining device drivers.
Boot problems here are often caused by corrupt or missing Registry files, resulting in a message complaining that the 'windowssystem32confi gsystem' file is 'Missing or corrupt'. If you're using Vista, you should be able to fix this by using System Restore or booting from the Last Known Good Configuration (press [F8] when you boot, select 'Advanced Boot Options'), but XP users may find they're stuck with just the Recovery Console. Fortunately, Microsoft detail a procedure that lets you recover a Registry backup copy from the command line (see www.support.microsoft.com/kb/307545
Plug and Play
The PnP manager initially knows of just one virtual device on your PC, and it's named 'root'. This is used by the Hardware Abstraction Layer to detect your main bus and everything directly connected to the motherboard. Any discovered hardware returns a vendor ID representing the manufacturer and a product ID that tells Windows what it is.
The PnP Manager then looks in the Registry under HKLMSystemCurrentControlSetEnum to find a key where the hardware type, vendor and product ID match the device. The key should contain a value called 'Driver' which points to a particular Registry key under HKLM SYSTEMControlSet001Control Class and a value called 'infpath' that points to the driver INF file in WindowsInf.
This finally tells Windows where to load the driver. Alternatively, it'll discover that you don't have a driver installed for this device at all, in which case you'll be prompted to add it later, once Explorer has started.
As the process goes on, Windows will find different buses (PCI, USB and so on). It'll load their drivers, which will go on to discover everything attached to them, and this continues until all your hardware has been detected and the appropriate drivers loaded.
Hardware problems, driver faults or conflicts here can result in a very slow boot or your PC hanging altogether. If your PC locks up, but can boot in Safe Mode then that's a good indication of driver issues. Launch the Event Viewer ('eventvwr.msc') and look for recent errors that might offer clues. The Windows Vista Event Viewer also records details of performance problems during the boot process.
You can also ask Windows to record the drivers loaded during boot (run msconfig.exe, select the Boot tab, enable a Boot Log, restart and check 'WindowsNtbtlog.txt'). Remove or re-install hardware you've added recently and update other drivers, in particular for your motherboard.
Eventually, the kernel continues the boot process by launching Session Manager ('smss.exe'). This use the Registry keys at or below HKLM SystemCurrentControlSetSession Manager to call functions. It'll run any programs defined at the BootExecute Registry Key, for instance. Normally this just launches 'autochk.exe' (the boot version of 'chkdsk.exe'), but other programs - and some viruses - will add themselves to the list.
Session Manager is also responsible for delayed file rename or delete operations. If an uninstall program can't remove a file because it's in use, for example, it'll add its details to its 'FileRenameOperations' key. Session Manager will follow its instructions at the next boot.
Session Manager reads the list of Known DLLs from the 'KnownDLLs' Registry key. It creates your paging files according to the Registry settings at Memory ManagementPaging Files, loads the remaining Registry files from the Windows System32Config folder and creates the system environment variables you'll find at HKLMSystem CurrentControlSetSession ManagerEnvironment.
Next, Session Manager loads 'win32k.sys', a component that provides core Windows GUI services. This switches your display from the boot driver's basic VGA resolution to whatever you've got set up, so when this happens you'll know that the Session Manager is almost finished.
The most likely problem to occur here is that of a missing Registry. You can replace it using the same techniques that we used earlier in the Boot Drivers section.
Blue screen crashes naming win32k.sys are also common, but this file is rarely the culprit. Enter the stop code (it'll be something like '0x0000008e') and 'Win32k. sys' at www.support.microsoft.com
for more advice.
The Windows Session Manager now creates a session that will allow programs to be run. Under Vista, session 0 is reserved for Windows services, and Session Manager creates a second session for programs. It then launches another core Windows component, the Windows Client-Server Runtime SubSystem ('windowssystem32csrss.exe').