Chapter 6: Working with System Files and the Boot Process

Exam Objectives

Identify the names and purposes of each file required to boot up a Windows XP, Windows Vista, and Windows 7 computer

Identify the locations of Windows XP, Windows Vista, and Windows 7 boot files

Starting a computer has long been referred to as booting. Before you can use your computer, you need to be able to boot it to a point where the operating system (OS) is functional. Otherwise, your computer is like a safe without a known combination. This chapter will help you get that “safe” open by examining the boot process, which encompasses a series of steps, from powering-on to loading the OS shell. This chapter reviews the hardware POST (Power-on Self-Test) process and will concentrate on the OS portion of the overall process. This chapter also introduces you to the standard Windows boot process and the files that are required, and also how to correct or deal with boot problems related to the boot files. A solid understanding of the Windows boot files will prepare you for the exam, and a general knowledge of the other files will prepare you for working with these systems in the field.

If, as an A+ Certified Professional, you are faced with troubleshooting the boot process on a computer for a user, it is required that you understand the boot sequence. If you do not know what the normal boot process is, you will be at a deficit attempting to troubleshoot issues with it. As a CompTIA A+ Certified Professional, you will often have to bring your knowledge of the core operating system files to bear on your user’s computer conundrums.

If you are unfamiliar with boot processes in general, focus on the entire chapter. The exam, though, focuses on the Windows boot process.

Power-on Self-Test (POST) process

The Power-on Self-Test (POST) process starts when power is applied to the system. Electrical current makes its way from the power lead on the mother­board to the ROM-BIOS chips; when the current is received by the BIOS chips, they immediately begin executing their programs. One of the first checks is the memory (both a count and integrity test). After the memory check, the POST process moves on to find out what ports or I/O devices exist on the system. If the system is equipped with a PnP BIOS (Plug and Play BIOS), as most new systems are, the BIOS-level PnP configuration takes place. The next thing that happens is a search for bootable disk devices. The order of this search is defined by the settings stored in CMOS memory, but is often a: (floppy drive), c: (first partition on the first bootable hard drive), and then CD-ROM.

For each device in the list of potential bootable devices, the partition table is checked for the active partition. Floppy disks and the CD-ROM check only the first partition. For this partition, the first sector is read and checked for a boot loader. For Windows XP, the boot loader is ntldr; the boot loader for Windows Vista and Windows 7 is bootmgr. When this file is located, it is executed. If it was not found on the first potential bootable device, the second and third devices are checked before reporting a boot failure.

Standard Boot Process for Windows XP

The Windows XP boot process is based on a process that goes back to its OS/2 roots and is shared with all Windows NT–based OSes (from Windows NT/3.1 to Windows XP). This process is very different from other older Microsoft operating systems, like MS-DOS. The POST process is the same, regardless of the OS that is installed on the computer, but that similarity ends as the boot loader is located at the end of the POST process.

The boot sector is created when the disk is formatted, and it contains a small program that has a mini file-system driver to read FAT, FAT32, and NTFS partitions. This program then looks for the real boot loader, which is ntldr.

Because of ARC naming conventions, Microsoft refers to the drive that has the boot sector on it as the system partition, and to the partition that has the windows directory on it as the boot partition. (You can read about ARC in a bit.) To help keep these terms straight, remember that the OS does not really “boot” until ntoskrnl.exe is launched from the windows directory.

Current Windows OSes use many of the same files as early Microsoft OSes, but the following sections will look specifically at the files that are used by Windows XP.

ntldr

The job of ntldr — the boot loader for Windows XP — is to coordinate the loading of the rest of the OS. ntldr is located on the root of your system partition, and if it is corrupted, it can easily be replaced from any other working copy of a Windows XP. ntldr switches the memory model used on the system to a flat memory model: that is, treating all memory on the system as one contiguous block. If your computer requires the ntbootdd.sys file, which is a SCSI controller driver, it is loaded by ntldr so that the rest of the boot process can access the boot drive. ntldr then reads the boot.ini file, if it exists, and displays the list of possible OSes that can be booted. If you want to know what happens when the boot.ini file is missing, read through Book VII, Chapter 1.

After choosing any version of a Windows-based OS, ntdetect.com is called. ntdetect.com performs a hardware detection, scanning all hardware ports, processor make, model, and description, and the amount of RAM on the system. After this information has been collected, it is returned to ntldr and will eventually make up the HKEY_LOCAL_MACHINEHARDWARE key of the Registry.

The last step performed by ntldr is to launch ntoskrnl.exe. To launch ntoskrnl.exe, ntldr goes to the system32 subdirectory of the directory listed in the boot.ini file.

When formatting a floppy disk using a modern version of Windows, the boot sector is set to look for ntldr. If you leave a disk in your computer when it is being rebooted, you will see this message:

NTLDR is Missing

Press any key to restart.

For disks formatted with an early version of Windows, like Windows 9x, this message will appear:

Invalid system disk

Replace the disk, and then press any key

You would receive those error messages because the required boot files are missing from the disk. The boot files that are required for Windows XP are covered here.

ntbootdd.sys

If you boot your computer from an IDE/ATA drive or a SCSI drive from a SCSI controller that supports its own BIOS, you won’t see the ntbootdd.sys file on your computer. However, if you are loading Windows XP from a SCSI drive on a controller that does not have its own BIOS, ntbootdd.sys appears on the root of the drive that has ntldr on it. ntbootdd.sys is the SCSI driver for your SCSI controller, but it has been renamed from the driver’s actual name to ntbootdd.sys.

boot.ini

The boot.ini file is a text file on the root of your system partition that lists the OSes that are available to boot. It contains two things: the default timeout value for the boot menu to be displayed, and where ntldr can find each copy of the OS. Upon looking at the boot.ini for the first time, you might be confused by the strange notation used to denote locations. This notation is called an ARC pathname, which I discuss in the next section.

Listing 6-1 shows a sample boot.ini file.

Listing 6-1: A Sample boot.ini File

[boot loader]

timeout=10

default= multi(0)disk(0)rdisk(0)partition(3)WINDOWS

[operating systems]

C:=”Microsoft Windows 98”

multi(0)disk(0)rdisk(0)partition(3)WINDOWS=”Windows XP”

multi(0)disk(0)rdisk(0)partition(4)WINNT=”Windows 2000”

multi(0)disk(0)rdisk(0)partition(4)WINNT=”Win 2K Error”/SOS

multi(0)disk(0)rdisk(0)partition(2)WINNT=”Windows NT 4.0”

The first section in the boot.ini file is the [boot loader] section. It lists the timeout value, the number of seconds to display the boot menu, and the default OS to boot. The default OS is located in the OS listing in the file. The first OS in the list with a matching path is loaded by ntldr.

In this code listing, the [operating systems] section lists all OSes that boot.ini knows about on the system. This section would be built and added to while you install multiple copies of Windows-based OSes on a system. (For example, you might have multiple versions of an OS installed if this is a testing or development system.) The sample boot.ini file in the preceding listing also has two entries that refer to the same path (partition 4). The difference between them is the application of the SOS switch at the end of the second line. The description strings that are used in this section are the display text for the boot menu, but they have no effect on the boot process of the OS.

If you have only one copy of Windows installed, you won’t see the boot menu at all because there is only one choice of OS to load.

ARC pathnames

Advanced RISC Computing Specification (ARC) is a rigid set of standards presented by the ACE (Advanced Computing Environment) initiative. This initiative has been sponsored by major vendors in the industry, and one of the standards that arose was a naming convention to refer to disk partitions. To understand the parts of this name, see Table 6-1.

Table 6-1 ARC Path Components

Type	Class	Description
SCSI	Adapter	The ordinal number of the SCSI controller located in the system. The ordinal number refers to the order in which the controller was located. The hardware is scanned according to the buses on the motherboard, and each bus is scanned starting with slot 1. If controllers were located in slots 1 and 3, the controller in slot 1 would be SCSI(0), and the controller in slot 3 would be SCSI(1). SCSI is only used in cases where the SCSI controller either does not have an onboard BIOS or is disabled.
multi	Adapter	The ordinal number of the Multifunction controller in the system. Multifunction is used for all devices that do not use the previous listing for SCSI. This includes IDE, SATA, and SCSI controllers with the BIOS enabled.
Signature	Non-Classed	Notation that can be used in place of SCSI or multi to help conform to Plug and Play specifications. Each drive identified by the Windows XP OS has a Signature written to it. The notation looks like Signature(8765bfa4) and tells ntldr to look for a drive that has that signature and load the OS from there, regardless of which controller it is found on.
disk	Controller	The SCSI ID number assigned to the SCSI drive on the system. This is set to 0 when using the multi (multifunction) adapter.
rdisk	Peripheral	The rigid disk number, referring to the physical location on the controller rather than the logical ID. The SCSI ID number refers to a logical ID.
partition	Block Device	The partition number for the partition that the OS will be found on. Partition(0) refers to a drive with no partitions. Because Windows XP requires a partitioned drive to store files, the partition number will always be 1 or greater.

multi(0)disk(0)rdisk(0)partition(4)WINNT=”Windows 2000”

The previous line is from Listing 6-1 in the previous section. multi(0) refers to the first non-SCSI controller on the system; disk(0) does not refer to anything because it would be a SCSI ID of a disk; rdisk(0) refers to the first disk on the controller; and partition(4) is the fourth partition on the disk. Windows XP–based OSes use this specification because the assignment of drive letters to partitions is flexible, but partition locations are very rigid, thus preventing errors.

ntdetect.com

The next step after choosing a Windows-based OS from the boot.ini menu is to have ntdetect.com run. The only job for ntdetect.com is to find out what hardware is on the system. This detection process is similar to what happens during the POST process at the hardware level. ntdetect.com checks for the following components:

Bus/adapter type

Communication ports

Computer ID

Floating-point coprocessor

Floppy disks

Keyboard

Mouse/pointing device

Parallel ports

SCSI adapters

Video adapters

This information creates a hardware tree that is passed back to ntldr and eventually given to ntoskrnl.exe, which places it in the Registry.

ntoskrnl.exe

The main goal of the boot process is to get the OS kernel loaded and functioning. The computer has already given you a choice of OSes, inventoried the hardware, and is now ready to actually start loading the OS into memory. ntoskrnl.exe represents the first and most important step in this process. The OS kernel for Windows is responsible for all thread level scheduling on the system. It plays a major control role, managing all other components on the system. Without it, there would be anarchy in the OS.

ntldr proceeds to the path specified in boot.ini to locate ntoskrnl.exe in the system32 folder. If ntldr locates the kernel, it proceeds to execute it. ntldr will generate a missing kernel error message if it fails to locate the kernel. Startup error messages are covered in Book VII, Chapter 1. After the kernel is running, ntldr passes control of the system to it. There are several steps to the kernel load, starting with loading devices, and then moving on to loading any system services. After the services are running, it loads the default shell application and user profile.

The default user profile is used to run the user logon process. At this point, the logon screen will tell you to Press Ctrl+Alt+Delete to begin. After providing logon credentials, that user session is discarded, and a new one is started for the new user.

The device load process

All the devices to be loaded during the system startup are listed in the Registry. The Registry includes information about each device here:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<device>

In this location, you can find several values that describe how the device will start up. These values are listed in Table 6-2.

Table 6-2 Device and Service Settings in the Registry

Value	Description
Display Name	This string is used to display the name in areas of Windows XP, such as Device Manager or the Services administrative tool.
Error Control	This value configures how errors will be reported back to the OS. A value of 0 does not report any errors with the device back to the OS. A value of 1 reports errors normally. A value of 2 makes errors severe and will cause an automatic reboot of the computer to the “Last Known Good Configuration.” A value of 3 makes errors critical and will also cause an automatic reboot of the computer to the Last Known Good Configuration. If the Last Known Good Configuration is already used, severe errors will enable the computer to continue to boot, but critical errors will start the bug-check routine.
Group	Devices can be grouped. This is done mostly for dependencies. If any device in a group fails, dependent devices will not start.
Image Path	This is the path and name of the actual driver file that is used for the device or service.
Start	This identifies when the device will start up. The five start types are boot (0), system (1), automatic (2), manual (3), and disabled (4). Most devices have boot or system for a start value, but you might find a few set to automatic. Most services are set for either automatic or manual.
Tag	A Tag ID is assigned to the service when it is installed, but is not actually used by the OS.
Type	Identifies that type of service or device. All devices should have a value of 1. Service types should be 1 for kernel device drivers, 2 for file system drivers, 4 for arguments for an adapter, 10 for single process Win32 applications that follow the Service Control Protocol, and 20 for Win32 Services that can share their process with other Win32 Services.

The service load process

All services that are to be loaded during the system startup are listed in the Registry. The Registry includes information about each device in the following location:

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices<service>

This is the same location used for devices. The biggest difference between devices and services is that devices map out to a physical piece of hardware, but services are only software. The values for services are listed in Table 6-2 in the previous section.

Loading the shell

After processing all the device drivers, the user’s shell loads. The application that makes up the shell is actually defined by a shell = line in system.ini, the default being explorer.exe. If the current shell ever crashes and is removed from RAM, explorer.exe will be loaded. Explorer checks the Registry to see what desktop components are supposed to be displayed and then checks the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunServices key in the Registry to auto-start other applications. One of the services started at this point is the network service. When the network service is started up, you will be presented with a logon screen.

After loading the requested services, Explorer then executes any entries that it finds in the Registry in the HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRunOnce key. Each entry under runonce is executed sequentially, waiting for each to finish before moving on to the next. When these are completed, Explorer then moves on to the run and load entries in win.ini to launch additional applications, followed by the run entries in the Registry, found in HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun, and finally the Startup group from the Start menu, Start⇒Programs⇒Startup.

This process is almost identical for all versions of Windows that are based on Windows NT; this includes Windows XP. The two latest versions of Windows (Windows Vista and Windows 6) are also based on Windows NT, but Microsoft has taken the opportunity to modify the boot process to make improvements to the overall OS loading system.

For information on editing the Registry, see the regedit.exe section in Book VI, Chapter 4.

Standard Boot Process for Windows Vista and Windows 7

Like with so many areas of the OS, Windows Vista and Windows 7 changes the core boot process as compared to previous versions of Windows. The first change that you will see with the boot process is the boot loader application, as well as where the configuration data is stored. In the case of Windows Vista and Windows 7, the boot loader is bootmgr. This process is used by current Windows OSes that have been released after Windows Vista, so it is the same process that is used by Windows Server 2008 and Windows Server 2008 R2.

bootmgr

The boot manager (bootmgr) now takes over the role previously performed by ntldr. It is responsible for reading the boot configuration data stored in the boot configuration database and displaying the boot menu. You will find a rescue copy of bootmgr stored on System Volume in the windowsootpcat directory, but the copy that is used to boot your computer is actually found on the root of the hidden System Reserved partition that Windows creates when you perform your installation. This partition is not so much hidden, but rather not assigned a drive letter. The System Reserved partition is usually the first partition on your installation disk and will be marked as the active partition in the disk’s partition table. The active partition is the partition where the POST process looks to locate the boot loader. If it is not the System Reserved partition, then it will be the C: drive.

Boot Configuration Database

Rather than relying on boot configuration being stored in a single file, such as boot.ini, Microsoft now uses a Boot Configuration Database (BCD). This database stores more comprehensive information about the boot settings. If you are using a computer that supports EFI (Extensible Firmware Interface), the BCD is stored in the EFI System Partition; but if you are using a computer that supports an IBM-style BIOS, the information is stored on the active partition in the BootBCD file. If you need to make changes to this configuration, you can use the System Properties, msconfig.exe, bootrec.exe, or bcdedit.exe.

winload.exe

If you choose to boot to Windows, the boot manager will transfer control over to windowssystem32winload.exe stored on System Volume. winload.exe — the OS boot loader — has one main job, and that is to load the Windows OS Kernel (ntoskrnl.exe).

Managing Memory and Virtual Memory

If you are lucky enough never to have created a boot disk for your computer, you have never had to get into the down-and-dirty world of memory management. When attempting to load device drivers and applications in the MS-DOS environment, you have a very limited amount of the memory to work with — 640KB — and if you are not careful, you can quickly run out of space, so you need to manage what and how device drivers and applications get loaded into memory. If you have to support MS-DOS–based applications within the Windows environment, or if you need to create custom boot disks that load your network drivers, you need to pay attention to this section. Memory management skills are becoming a lost art in the world of Windows.

With the adoption of Windows NT–based OSes, like Windows XP, Windows Vista, and Windows 7, you no longer need to worry about boot-time memory management because after the OS kernel loads, the memory structure switches to a flat memory model and implements a virtual memory structure.

As improvements were made in the field of RAM, and as computers with more and more memory continued to ship, software developers created applications that used the new memory. To make the entire process of managing memory easier, Microsoft decided to implement virtual memory for the Windows OSes. Virtual memory allows Windows to present a virtual machine (VM) that contains 4GB of memory to applications running in the Windows environment. It then used a Virtual Memory Manager (VMM) to control or manage the mapping of data between the virtual addresses used by the application and where the data was stored in physical memory. The VMM was also able to move data that was not being actively used in RAM to a file on the disk. The swapping of memory data pages to and from the disk file lead to the file being named “swap file” in older versions of Windows and “paging file” in newer versions of Windows (like Windows XP, Windows Vista, and Windows 7). The drawback in the system of swapping data shows up when an application wants to use data that is in the swap file because it then has to wait for the data to be retrieved back into RAM before it can be accessed.

Access speeds of hard disks are measured in milliseconds (10-3), and memory access is measured in nanoseconds (10-9). It should not be hard to guess that this means that when data has to be retrieved from the swap file on a hard drive, the process is extremely slow relative to retrieving it directly from RAM.

The VMM manages virtual memory addresses up to 4GB and the mapping of those addresses to a physical location, either in RAM or on a hard drive. You should rely on using the paging file only when applications need a small amount of additional memory. Most OSes implement virtual memory and allow it to use swap space on a hard drive to allow applications with high memory requirements to function, but greater performance will be achieved by adding more physical RAM to the system.

When an application needs to store information to memory, it passes the request to the VMM. VMM stores the information in RAM but might move the information to the swap file on the drive later. The process for retrieving application data is illustrated in Figure 6-1; the process looks like this:

1. When the application requests information, the VMM checks whether the information is in RAM.

2. If the information is in RAM, the information is simply returned to the application, and the process is complete.

3. If the information isn’t in RAM, VMM checks whether there is enough space in RAM to retrieve the information from the swap file.

4. If there is enough space to retrieve the information, the information is retrieved from the drive, stored into RAM, and passed on to the application; and the process is complete.

5. If there isn’t enough space to retrieve the information, VMM checks for memory locations that have not been accessed recently and passes them from RAM down to the swap file.

6. When enough information is moved to the swap file to make room for the requested information, that information is moved into RAM and then returned to the application.

A clean memory location in RAM is a location that has not been accessed since the last time the VMM marked it clean. If the memory location has been accessed with a read or write request, this location is marked as dirty. When looking for memory data to move to the swap file, each location is checked; if it is clean, it is moved to the hard drive, and if it is dirty, it is marked as dirty and left. If the first scan did not free enough RAM, an immediate second search for movable memory data is required, at which time any memory data that is now dirty is data that was accessed since the first scan, mere milliseconds ago. This algorithm is the Least Recently Used (LRU) algorithm, and it ensures that data that is actively used in RAM will stay in RAM.

The 32-bit versions of Windows allow a 32-bit memory space to be used. Rather than being able to use all 4GB (232) of address space, only 2GB is configured by default for use with User Mode processes. User Mode processes are applications or processes that run on the computer. This includes server processes such as Microsoft Exchange and Microsoft SQL. The 64-bit version of Windows allows a 64-bit address space to be used by the VMM, which makes the limit 16EB (264), but User Mode processes are limited to 8TB of space for running processes. The remainder of the space is used by operating system processes.

Getting an A+

This chapter examines the process undertaken by the software on your computer during the boot process. The basic boot process for Windows XP, Windows Vista, and Windows 7 computers is discussed, as well as the differences between them.

Key points that you should remember about this chapter are

Virtual memory is managed by the Virtual Memory Manager, which presents a 4GB address space to applications on the system.

Virtual memory is made up of physical RAM and hard drive space in the form of a swap file or paging file.

The Windows XP, Windows Vista, and Windows 7 boot process uses the ntldr, ntbootdd.sys, ntdetect.com, bootmgr, BCD, winload.exe, and boot.ini files.

Prep Test

1 A user has a program that automatically starts when he logs into his computer. He would like to disable it. Where should he look for possible settings?

A load = lines in win.ini

B The Startup group in the Start menu

C The RUN key in the Registry

D All the above

E None of the above

2 A user has attempted to boot his computer, but instead of seeing the Windows XP boot menu, he sees a message stating, “NTLDR is missing. Press any key to restart.” What should he do first?

A Set the CD-ROM as bootable in the system CMOS and insert the Windows XP CD. This will allow him to complete an emergency repair.

B Reinstall Windows XP.

C Reboot the computer and enter Safe Mode; then choose RebuildBootSect.exe from the windowssystem32 directory.

D Remove the floppy disk from the A: drive.

3 The search order for bootable drives is stored in which location?

A System BIOS

B PNP Configuration

C io.sys

D CMOS Memory

4 What driver is used to access virtual memory?

A ramdrive.sys

B himem.sys

C emm386.exe

D None of the above

5 What is the first file that is loaded as part of the Windows XP boot process?

A io.sys

B ntbootdd.sys

C ntbooter

D ntldr

6 How large is the memory address space that is presented in applications ­running on a Windows XP computer?

A 640KB

B 1MB

C 1GB

D 4GB

7 What file is a copy of the SCSI drivers for the SCSI controller in your Windows XP computer?

A ntbootdd.sys

B boot.ini

C ntldr

D ntdetect.com

8 What is name of the file that Windows 7 uses to store memory data for the ­virtual memory system?

A Memory file

B Swap file

C Storage file

D Paging file

Answers

1 D. Automatic commands can be found in any of the listed locations (win.ini, Startup group, or the Registry). Review “Standard Boot Process for Windows XP.”

2 D. ntldr is missing in the error message that you will see if you attempt to boot from a Windows XP formatted disk that does not contain ntldr. Check out “Standard Boot Process for Windows XP.”

3 D. CMOS memory contains the boot device order. Take a look at “Power-on Self-Test (POST) process.”

4 D. Virtual memory reserves space on the hard drive to be used as RAM. It is managed by VMM32 and is loaded by Windows. Peek at “Managing Memory and Virtual Memory.”

5 D. ntldr is the first file that loads as part of the Windows 2000 boot process. Examine “Standard Boot Process for Windows XP.”

6 D. The memory address that is present to each application or VM is 4GB in size. Examine “Managing Memory and Virtual Memory.”

7 A. The ntbootdd.sys file is a copy of the SCSI driver that has been renamed and is used during the boot process. Refer to “Standard Boot Process for Windows XP.”

8 D. Windows 7 refers to the file used by virtual memory as a paging file or the page file. Look over “Memory and Virtual Memory.”