Chapter Overview

1
Chapter Overview

• Understanding the Boot Process
• Editing the Registry
• Using Startup and Recovery Tools
• Safe mode
• LastKnownGood configuration
• Advanced boot options
• Windows XP Professional Recovery Console

2
The Microsoft Windows XP Professional Boot
Process

• The boot process occurs in five stages
• Preboot sequence
• Boot sequence
• Kernel load
• Kernel initialization
• Logon

3
Files Used in the Windows XP Professional Boot
Process
4
Sample BOOT.INI File

• boot loader 
• timeout30 
• defaultmulti(0)disk(0)rdisk(0)partition(2)\WINDOW
  S 
• operating systems 
• multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
  Microsoft Windows XP Professional /fastdetect
•  
• multi(0)disk(0)rdisk(0)partition(1)\WINNT
  Windows NT Workstation Version 4.00

5
Advanced RISC Computing (ARC) Paths

• The BOOT.INI file contains ARC paths that point
  to the computers boot partition.
• Multi (x) scsi (x) represents the
  adapter/controller, where x indicates the load
  order of the hardware adapter.
• Use multi for all cases except for Small Computer
  System Interface (SCSI) controllers on which SCSI
  basic input/output system (BIOS) is not enabled.
• Disk(y) represents the SCSI ID.
• For multi, y is always 0.
• Rdisk(z) is a number that identifies the disk.
• This value is ignored for SCSI controllers.

6
Advanced RISC Computing (ARC) Paths (Cont.)

• Partition(a) identifies the partition number.
• Multi, scsi, disk, and rdisk numbers are assigned
  starting with 0.
• Partition numbers start with 1.
• All nonextended partitions are assigned numbers
  first.
• Logical drives in extended partitions are
  assigned numbers second.
• The scsi ARC naming convention varies the disk(y)
  parameters for successive disks on one
  controller, whereas the multi format varies the
  rdisk(z) parameter.

7
BOOT.INI Switches
8
Using System Properties to Modify BOOT.INI

• In Control Panel, click Performance And
  Maintenance.
• Click System to display the System Properties
  dialog box.
• Click the Advanced tab.
• Under Startup And Recovery, click Settings.
• Under Default Operating System, click the
  down-pointing arrow to display a list of
  operating systems installed on the computer.
• Click the name of the operating system you want
  to be the default operating system when the
  computer is started.
• Use the Time To Display List Of Operating Systems
  check box to set the time until the default
  operating system boots.

9
Manually Editing the BOOT.INI File

• During installation, Windows Setup sets the
  read-only and system attributes for the BOOT.INI
  file.
• You can change the file attributes for the
  BOOT.INI file by using
• My Computer or Windows Explorer
• The command prompt
• After changing the file attributes, open and
  modify BOOT.INI with any text editor, such as
  Microsoft Notepad.

10
Preboot Sequence Stage

• The computer runs power-on self test (POST)
  routines.
• The POST routines determine the amount of
  physical memory, the presence of hardware
  components, and so on.
• If the computer has a Plug and Play BIOS,
  enumeration and configuration of hardware devices
  occur at this stage.
• The computer BIOS locates the boot device and
  loads and runs the master boot record (MBR).
• The MBR
• Scans the partition table to locate the active
  partition
• Loads the boot sector on the active partition
  into memory
• Executes the boot sector
• The computer loads and initializes the NTLDR
  file, which is the operating system loader.

11
Boot Sequence Stage

• The second stage of the boot process is the boot
  sequence.
• After the computer loads NTLDR into memory, the
  boot sequence gathers information about hardware
  and drivers to prepare for the load phases.
• The boot sequence has four phases
• Initial boot loader phase
• Operating system selection
• Hardware detection
• Configuration selection

12
Initial Boot Loader Phase

• NTLDR switches the microprocessor from real mode
  to 32-bit flat memory mode, which NTLDR requires
  to carry out any additional functions.
• NTLDR starts the appropriate minifile system
  drivers, which
• Are built into NTLDR
• Enable NTLDR to find and load Windows XP
  Professional from partitions formatted with file
  allocation table (FAT), FAT32, or NT file system
  (NTFS)

13
Operating System Selection Phase

• During the boot sequence, NTLDR reads the
  BOOT.INI file.
• If more than one operating system selection is
  available in BOOT.INI, the Please Select The
  Operating System To Start screen appears.
• If no operating system is selected before the
  timer reaches zero, NTLDR loads the operating
  system specified by the default parameter in
  BOOT.INI.
• If there is only one entry in BOOT.INI, the
  default operating system is automatically loaded.
• If BOOT.INI is not present, NTLDR attempts to
  load Windows XP Professional from the first
  partition of the first disk, typically C\.

14
BOOTSECT.DOS

• If you select an operating system other than
  Windows XP Professional, NTLDR loads and executes
  BOOTSECT.DOS.
• BOOTSECT.DOS is a copy of the boot sector that
  was on the system partition when Windows XP
  Professional was installed.
• Passing execution to BOOTSECT.DOS starts the boot
  process for the selected operating system.

15
Hardware Detection Phase

• NTDETECT.COM and NTOSKRNL.EXE perform hardware
  detection.
• NTDETECT.COM executes after you select Windows XP
  Professional on the Please Select The Operating
  System To Start screen (or after the timer times
  out).
• NTDETECT.COM collects a list of currently
  installed hardware components and returns this
  list to NTLDR.

16
Hardware Detection Phase (Cont.)

• NTDETECT.COM detects the following components
• Bus/adapter type
• Communication ports
• Floating-point coprocessor
• Floppy disks
• Keyboard
• Mouse/pointing device
• Parallel ports
• SCSI adapters
• Video adapters

17
Configuration Selection Phase

• NTLDR does the following
• Starts loading Windows XP Professional
• Collects hardware information
• Presents the Hardware Profile/Configuration
  Recovery menu
• The first hardware profile on the Hardware
  Profile/Configuration Recovery menu is
  highlighted.
• Press Enter to select the highlighted hardware
  profile.
• Press the down-pointing arrow key to select
  another profile.
• Press L to invoke the LastKnownGood
  configuration.

18
Configuration Selection Phase (Cont.)

• If there is only a single hardware profile on the
  menu, NTLDR
• Does not display the Hardware Profile/Configuratio
  n Recovery menu
• Loads Windows XP Professional using the default
  hardware profile configuration

19
Kernel Load Stage

• During the kernel load stage, NTLDR does the
  following
• Loads NTOSKRNL.EXE but does not initialize it
• Loads the hardware abstraction layer file
  (HAL.DLL)
• Loads the HKEY_LOCAL_MACHINE\SYSTEM registry key
  from systemroot\System32\Config\System
• Selects the control set it will use to initialize
  the computer
• Loads device drivers with a value of 0x0 for the
  Start entry

20
Kernel Initialization Stage

• When the kernel load stage is complete, the
  kernel initializes, and NTLDR passes control to
  the kernel.
• The system displays a graphical screen with a
  status bar indicating load status.
• Four tasks are accomplished during the kernel
  initialization stage
• The Hardware key is created.
• The Clone control set is created.
• Device drivers are loaded and initialized.
• Services are started.

21
The Hardware Key Is Created

• On successful initialization, the kernel uses the
  data collected during hardware detection to
  create the registry key HKEY_LOCAL_MACHINE\HARDWAR
  E.
• The key contains information about
• Hardware components on the system board
• The interrupts used by specific hardware devices

22
The Clone Control Set Is Created

• The kernel creates the Clone control set by
  copying the control set referenced by the value
  of the Current entry in the HKEY_LOCAL_MACHINE\SYS
  TEM\Select subkey of the registry.
• The Clone control set is never modified because
  it is intended to be an identical copy of the
  data used to configure the computer and should
  not reflect changes made during the startup
  process.

23
Device Drivers Are Loaded and Initialized

• After creating the Clone control set, the kernel
  initializes the low-level device drivers that
  were loaded during the kernel load stage.
• The kernel then scans the HKEY_LOCAL_MACHINE\SYSTE
  M\CurrentControlSet\Services subkey of the
  registry for device drivers with a value of 0x1
  for the Start entry.
• A device drivers value for the Group entry
  specifies the order in which it loads.
• Device drivers initialize as soon as they load.
• If an error occurs, the boot process proceeds
  based on the value specified in the ErrorControl
  entry for the driver.

24
ErrorControl Values and Action

• 0x0 (Ignore) the boot sequence ignores the error
  and proceeds without displaying an error message.
• 0x1 (Normal) the boot sequence displays an error
  message but ignores the error and proceeds.
• 0x2 (Severe) the boot sequence fails and then
  restarts using the LastKnownGood control set.
• If the boot sequence is currently using the
  LastKnownGood control set, it ignores the error
  and proceeds.

25
ErrorControl Values and Action (Cont.)

• 0x3 (Critical) the boot sequence fails and then
  restarts using the LastKnownGood control set.
• However, if the LastKnownGood control set is
  causing the critical error, the boot sequence
  stops and displays an error message.
• ErrorControl values appear in the registry under
  the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentContr
  olSet\Services\name_of_service_or_driver\ErrorCon
  trol.

26
Services Are Started

• Session Manager (SMSS.EXE) does the following
• Reads and executes the commands specified in the
  BootExecute data item before it loads any
  services
• Reads the Memory Management key and creates the
  paging file information required by the Virtual
  Memory Manager
• Reads the DOS Devices key and creates symbolic
  links that direct certain classes of commands to
  the correct component in the file system
• Reads the SubSystems key and starts the Win32
  subsystem, which controls all input/output (I/O)
  and access to the video screen and starts the
  WinLogon process

27
Logon Stage

• The logon process begins when kernel
  initialization ends.
• The Win32 subsystem automatically starts
  WINLOGON.EXE.
• WINLOGON.EXE starts the Local Security Authority
  (LSASS.EXE) and displays the Logon dialog box.
• The Service Controller executes and makes a final
  scan of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentCont
  rolSet\Services subkey and starts the following
  services
• All services with a start entry of 0x2
• Workstation service
• Server service

28
Logon Stage (Cont.)

• A Windows XP Professional startup is not
  considered good until a user successfully logs on
  to the system.
• After a successful logon, the system copies the
  Clone control set to the LastKnownGood control
  set.

29
Introduction to the Registry

• Windows XP Professional stores hardware and
  software settings centrally in a hierarchical
  database called the registry.
• The registry controls the Windows XP Professional
  operating system by providing the appropriate
  initialization information to
• Boot Windows XP Professional
• Start applications
• Load components such as device drivers and
  network protocols
• Most users never need to access the registry.
• Registry management is an important part of the
  system administrators job.

30
The Registry Contains Different Types of Data

• Hardware installed on the computer
• Installed device drivers
• Installed applications
• Installed network protocols
• Network adapter card settings

31
Windows XP Professional Components That Read,
Update, and Modify the Registry

• Windows XP Professional kernel (NTOSKRNL.EXE)
• Device drivers
• User profiles
• Setup programs
• Hardware profiles
• NTDETECT.COM

32
Hierarchical Structure of the Registry Subtrees

• A subtree or subtree key is analogous to the root
  folder of a disk.
• The Windows XP Professional registry has two
  subtrees
• HKEY_LOCAL_MACHINE
• HKEY_USERS
• To make the information easy to find in the
  registry, three additional subtrees are displayed
  in the editor
• HKEY_CLASSES_ROOT
• HKEY_CURRENT_USER
• HKEY_CURRENT_CONFIG

33
Hierarchical Structure of the Registry Keys,
Entries, and Hives

• Keys
• Keys are analogous to folders and subfolders.
• Keys correspond to hardware or software objects
  and groups of objects.
• Subkeys are keys within higher-level keys.
• Entries
• A key contains one or more entries.
• An entry has three parts name, data type, and
  value (data or configuration parameters).

34
Hierarchical Structure of the Registry Keys,
Entries, and Hives (Cont.)

• Hives
• A hive is a discrete body of keys, subkeys, and
  entries.
• Each hive has a corresponding registry file and
  .log file located in systemroot\System32\Config.
  
• Windows XP Professional uses the .log file to
  record changes and ensure the integrity of the
  registry.

35
Hierarchical Structure of the Registry Data
Types

• An entrys value is expressed as one of these
  data types
• REG_SZ (String value)
• REG_BINARY (Binary value)
• REG_DWORD (DWORD value)
• REG_MULTI_SZ (Multistring value)
• REG_EXPAND_SZ (Expandable string value)
• REG_FULL_RESOURCE_DESCRIPTOR (Multistring value)

36
Registry Subtrees

• HKEY_LOCAL_MACHINE contains all configuration
  data for the local computer, including hardware
  and operating system data.
• Applications, device drivers, and the operating
  system use this data to set the computer
  configuration.
• The data in this subtree remains constant
  regardless of the user.
• HKEY_USERS contains two subkeys.
• DEFAULT contains the system default settings
  (system default profile) used to display the
  CtrlAltDelete logon screen, and the security
  identifier (SID) of the current user.
• HKEY_CURRENT_USER is a child of HKEY_USERS.

37
Registry Subtrees (Cont.)

• HKEY_CURRENT_USER
• Contains data about the current user
• Retrieves a copy of each user account used to log
  on to the computer from the NTUSER.DAT file and
  stores it in the systemroot\Profiles\username
  key
• Points to the same data contained in
  HKEY_USERS\SID_currrently_logged_on_user
• Takes precedence over HKEY_LOCAL_MACHINE for
  duplicated values

38
Registry Subtrees (Cont.)

• HKEY_CLASSES ROOT
• Contains software configuration data object
  linking and embedding (OLE) and file-class
  association data
• Points to the Classes subkey under
  HKEY_LOCAL_MACHINE\SOFTWARE
• HKEY_CURRENT_CONFIG
• Contains data on the active hardware profile
  extracted from the SOFTWARE and SYSTEM hives
• Uses this data to configure settings such as the
  device drivers to load and the display resolution
  to use

39
The HKEY_LOCAL_MACHINE Subtree

• Provides a good example of the subtrees in the
  registry for two reasons
• The structure of all subtrees is similar.
• It contains information specific to the local
  computer and is always the same, regardless of
  the user who is logged on.
• Subkeys
• HARDWARE
• SAM
• SECURITY
• SOFTWARE
• SYSTEM

40
Control Sets

• A typical Windows XP Professional installation
  contains the following control set subkeys
• Clone
• ControlSet001
• ControlSet002
• CurrentControlSet
• Control sets are stored as subkeys of the
  registry key HKEY_LOCAL_MACHINE\SYSTEM.
• The entries in the HKEY_LOCAL_MACHINE\SYSTEM\Selec
  t subkey include the following
• Current
• Default
• Failed
• LastKnownGood

41
Using the Registry Editor

• Setup installs the Registry Editor (REGEDT32.EXE)
  in the systemroot\System32 directory during
  installation.
• Since most users do not need to use the Registry
  Editor, it does not appear on the Start menu.
• You start the Registry Editor by selecting Run on
  the Start menu, typing regedt32, and pressing
  Enter.
• The Registry Editor allows you to make manual
  edits in the Registry, but it is intended for
  troubleshooting and problem resolution.

42
Using the Registry Editor (Cont.)

• You should make most configuration changes to the
  registry through one of the following
• Control Panel
• Administrative Tools
• Some configuration changes can only be made using
  the Registry Editor.
• Using the Registry Editor incorrectly can cause
  serious, system-wide problems that could require
  reinstallation of Windows XP Professional.

43
Using the Registry Editor (Cont.)

• Before using the Registry Editor, you should use
  a tool such as Windows Backup to back up the
  System State, which includes the registry.
• The Registry Editor saves data automatically as
  you make entries or corrections.
• New registry data takes effect immediately.
• You can select Find Key on the View menu to
  search the registry for a specific key.

44
Introduction to the Startup and Recovery Tools

• Windows XP Professional provides tools and
  options to help you troubleshoot problems with
  starting your computer and recovering from
  disasters.
• These tools and options include the following
• Safe mode
• LastKnownGood configuration
• Recovery Console
• Automated System Restore Wizard

45
Using Safe Mode

• If your computer will not start, you might be
  able to start it in safe mode.
• Pressing F8 during operating system selection
  displays a screen with advanced options for
  booting Windows XP Professional.
• If you start your computer in safe mode, the
  background is black and Safe Mode appears in
  all four corners of the screen.
• Selecting safe mode causes Windows XP
  Professional to start with limited device drivers
  and system services.

46
Using Safe Mode (Cont.)

• Safe mode provides access to Windows XP
  Professional configuration files to let you make
  configuration changes.
• If your computer does not start in safe mode, you
  can try Windows XP Professional Automatic System
  Recovery.

47
Variations of Safe Mode

• Safe mode with networking
• Identical to safe mode except that it adds the
  drivers and services that enable networking to
  function when you restart your computer
• Allows Group Policy to be implemented, including
  both the policies implemented by the server
  during the logon process and the policies
  configured on the local computer
• Safe mode with command prompt
• Similar to safe mode, but it loads the command
  interpreter as the user shell, so when the
  computer restarts, it displays a command prompt

48
Using the LastKnownGood Configuration

• Selecting the LastKnownGood advanced boot option
  starts Windows XP Professional with the registry
  information that Windows XP Professional saved at
  the last shutdown.
• If you change a driver and have a problem
  rebooting, you can use the last known good
  process to recover your working configuration.

49
Using Default and LastKnownGood Configurations
50
When Using LastKnownGood Does Not Help

• When a problem is not related to Windows XP
  Professional configuration changes
• After you log on
• When startup failures relate to hardware failure
  or to missing or corrupted files

51
Using Other Advanced Boot Options

• Pressing F8 during the operating system selection
  phase displays a screen with the Windows Advanced
  Options menu.
• The Windows Advanced Options menu includes the
  following selections
• Enable Boot Logging
• Enable VGA mode
• Directory Services Restore Mode
• Debugging Mode

52
Introduction to the Recovery Console

• The Windows XP Professional Recovery Console is a
  text-mode command interpreter.
• It allows you to access NTFS, FAT, and FAT32
  volumes without starting Windows XP Professional.
• It allows you to perform a variety of
  troubleshooting and recovery tasks, including the
  following
• Starting and stopping services
• Reading and writing data on a local drive
• Formatting hard disks
• Repairing the MBR

53
Installing the Recovery Console

• Insert the Microsoft Windows XP Professional
  CD-ROM into your CD-ROM drive, or connect to the
  share where the installation files are available
  on the network.
• Open a Run dialog box or a Command Prompt window
  in Windows XP Professional.
• Change to the i386 folder on the CD-ROM.
• Run the winnt32 command with the /cmdcons switch.

54
Starting the Recovery Console

• After installing the Recovery Console, restart
  your computer.
• In the Please Select The Operating System To
  Start screen, select Microsoft Windows Recovery
  Console.
• After starting the Recovery Console, if more than
  one installation of Windows XP Professional is
  installed on your computer, specify which
  installation you want to log on to.
• Log on as the local computer administrator.

55
Using the Recovery Console from CD-ROM

• Insert the Microsoft Windows XP Professional
  CD-ROM into your CD-ROM drive and restart your
  computer.
• When Setup displays the Setup Notification
  message, read it, and then press Enter to
  continue.
• When Setup displays the Welcome To Setup screen,
  press R to repair a Windows XP Professional
  installation.
• In the Windows XP Recovery Console screen, press
  C to start the Recovery Console.
• Type 1, and then press Enter.
• If you have more than one Windows XP Professional
  installation on the computer, type the number of
  the Windows XP Professional you want to repair,
  and then press Enter.

56
Using the Recovery Console from CD-ROM (Cont.)

• When prompted to enter the Administrators
  password, type the password, and then press
  Enter.
• Setup displays a command prompt that allows you
  to do the following
• Type help and press Enter for a list of commands.
• Type the command to execute and press Enter.
• Type exit and then press Enter to restart the
  computer.

57
Chapter Summary

• NTLDR and NTDETECT.COM are required files in the
  Windows XP Professional boot process.
• BOOTSECT.DOS is a copy of the boot sector that
  was on the system partition when Windows XP
  Professional was installed.
• It is used only if you load an operating system
  other than Windows XP Professional.
• When you install Windows XP Professional, Windows
  Setup saves the BOOT.INI file in the active
  partition.
• The Windows XP Professional boot process occurs
  in five stages preboot sequence, boot sequence,
  kernel load, kernel initialization, and logon.

58
Chapter Summary (Cont.)

• Windows XP Professional stores hardware and
  software settings in the registry, a hierarchical
  database that replaces many of the .ini, .sys,
  and .com configuration files used in earlier
  versions of Microsoft Windows.
• The registry has two subtrees HKEY_LOCAL
  _MACHINE and HKEY_USERS.
• The Registry Editor (REGEDT32.EXE) lets you view
  and change the registry, but it is primarily
  intended for troubleshooting, not for manual
  configuration changes.
• For most configuration changes, you should use
  either Control Panel or Administrative Tools, not
  Registry Editor.

59
Chapter Summary (Cont.)

• If your computer will not start, you might be
  able to start it in safe mode.
• If you change the Windows XP Professional
  configuration to load a driver and have problems
  rebooting, you can use the LastKnownGood process
  to recover your working configuration.
• Pressing F8 during operating system selection
  displays a screen with the Windows Advanced
  Options menu, which provides the following
  options

• Safe Mode
• Safe Mode With Networking
• Safe Mode With Command Prompt
• Enable Boot Logging

• Enable VGA Mode
• LastKnownGood Configuration
• Directory Services Restore Mode
• Debugging Mode