NT Server 4.0 Notes Intro Installing Environment System Policies File Systems Partitions Fault Tolerance Applications Networking Protocols Services RAS Internet NetWare Clients Replication Boot Process Troubleshooting

NT boots in stages:

• the boot sequence stage loads platform-specific components
• then the boot process continues common to all platforms

Windows NT boot process occurs in these stages:

• The Power On Self Test (POST) Process
• The Initial Startup Process
• The Boot Loader Process
• The Boot Sequence
• The Load Phase

•  All these files MUST be in the root directory of the system partition

File	File Attributes	Function
Ntldr	H; R ; S	Loads OS
Boot.ini	R ; S	Builds OS Loader V4.00 Operating System Selection menu
Bootsect.dos	H	Loaded by Ntldr if another OS (MS-DOS, Windows 95, OS/2 1.x ) is selected instead of Windows NT. Contains a copy of the boot sector that was on hard disk before installing Windows NT
NTdetect.com	H; R ; S	Used to examine available hardware and to build a hardware list. Information is passed back to Ntldr to be added to registry later in boot
NTbootdd.sys	H; R ; S	Only on systems booting from BIOS-disabled SCSI hard disk, Driver accesses devices attached to SCSI adapter during Windows NT boot sequence.

File	Function
Osloader.exe	OS loader; equivalent to Ntldr
*.pal (Alpha only)	these files contain PAL code, software subroutines that provide an OS with direct control of the microprocessor

Files Required for NT System Boot

Preboot Sequence

• POST  à determines amount of physical memory and presence of hardware components
• Boot device located and MBR is loaded in memory; the program in MBR is run.
• MBR scans Partition Boot Record (PBR) table to locate active partition and its boot sector is loaded into memory.
• Ntldr is loaded and then initialized from boot sector.

 

Note: when Windows NT is first installed on the machine, it changes the boot sector so that Ntldr loads on system startup.

Boot Sequence

• Boot sequence begins after Ntldr is loaded in memory
• Boot sequence gathers information about hardware and drivers in preparation for the Windows NT load phases.
• These files are used during the Boot Sequence:Ntldr, Boot.ini, Bootsect.dos, NTdetect.com and NToskrnl.exe are used.

• Ntldr switches microprocessor from real mode into 32-bit flat memory mode.
• Ntldr starts the appropriate minifile system drivers; these are built into Ntldr to find and load Windows NT from different file system formats (FAT, NTFS).
• Ntldr reads Boot.ini (if one exists) and then displays the OS selections contained within Boot.ini.

This is called the Boot Loader Operating System Selection menu.

• Ntldr loads OS. The OS that is loaded is one selected by user, if no selection the default OS.

If Windows NT is selected	If an OS other than NT is selected
ê	ê
Ntldr runs NTdetect.com. This scans the hardware and then sends the list of detected hardware back to Ntldr for later inclusion in registry under: HKEY_LOCAL_MACHINE\HARDWARE	Ntldr loads and runs Bootsect.dos and passes control to it. The other OS then boots. The NT boot process is an end. :-(

•  Ntldr then loads NToskrnl.exe, Hal.dll and the System hive. Ntldr scans the System hive and loads the device drivers configured to start at boot time.
• Finally, Ntldr starts NToskrnl.exe, at which point the boot process ends and the load phases begin.

• On RISC based computers, Ntldr functionality is build into the firmware.
• Initial stages of loading the Windows NT OS are performed by Osloader.exe (in stead of Ntldr)
• RISC POST routine collects the hardware information and passes it to Osloader.exe (NTdetect.com is also not needed)

1. ROM firmware selects a boot device by reading a boot precedence table from nonvolatile RAM.
2. For hard-disk boot, firmware reads MBR and determines whether system partition is present.
3. If system partition exists, firmware reads the first sector of partition into memory. It then examines BIOS Parameter Block to determine whether the volume’s file system is supported by the firmware.
4. If file system is supported by firmware, the firmware searches root directory of the volume for Osloader.exe, loads it and passes control to it, along with a list of available hardware.

1. Osloader.exe loads
• NToskrnl.exe,
• Hal.dll,
• *.pal and the
• System hive.
2. Osloader.exe scans System hive, and then loads the device drivers that are configured to start at boot time.
3. Osloader.exe then passes control to NToskrnl.exe. This ends the NT boot sequence.

Files Needed for Boot:

The boot sequence for both the RISC and Intel x86 platform ends and the load process starts when control is passed from Ntldr to NToskrnl.exe, with the following phases:

• Kernel load. HAL is loaded
• Kernel Initialization
• Services Load
• Win32 Subsystem Start
• User Logs On. Last known good is created.

Kernel Load Phase

• Kernel load phase begins as soon as NToskrnl.exe is loaded.
• HAL (Hardware abstraction layer), which hides platform-specific issues from NT as you may recall, is loaded after kernel.
• System hive is loaded next and scanned for drivers and services that should be loaded at this stage. These drivers and services are loaded but not initialized, in the order in which they appear beside "List" in the HKEY_LOCAL_MACHINE\SYTEM\CurrectControlset\Control\ServiceGroupOrdER.
• This portion of the boot sequence occurs when the screen clears after NTdetect.com has run and progress dots (…) are displayed across the top of the screen. You can display the name of the drivers being loaded on this screen by adding an /sos switch to the appropriate OS line in Boot.ini.

Kernel Initialization Phase

• The kernel initialization phase initializes the kernel and the drivers that were loaded during the kernel load phase.
• During this phase, the System hive is again scanned to determine which high-level drivers should be loaded. These drivers are initialized and loaded after the kernel has been initialized.
• The registry's CurrentControlSet is then saved, and the Clone control set is created and initialized, but not saved. The registry hardware list is then created, using the information from NTdetect.com (Intel) or Osloader.exe (RISC).
• A control set contains configuration data used to control the system, such as which device drivers and services to load and start. Control sets are stored in the registry as subkeys of HKEY_LOCAL_MACHINE\SYSTEM\Select
• In this stage of the boot sequence the screen is painted blue.

ErrorControl Values

• 0x0--"Ignore". The boot sequence ignores the error and proceeds without displaying an error message.
• 0x1--"Normal". The boot sequence ignores the error and proceeds, but displaying error message.
• 0x2--"Severe". The boot sequence fails and then restarts using the LastKnownGood control set. The error is ignored and the boot sequence continues.
• 0x3--"Critical". The boot sequence fails and then restarts  using the LastKnownGood control set. If the boot sequence is currently using the LastKnownGood control set, the boot sequence stops and an error message is displayed.
• ErrorControl Values are stored in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Name_of_service_or_driver\ErrorControl.

Services Load Phase

The services Load Phase starts the Session Manager (Smss.exe), which starts the higher-order subsystems and services for NT. Session Manager carries out the instructions under the following four registry entries:

• BootExecute Data Item. Session Manager immediately reads and carries out the list of programs in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute. The default entry is: autocheck autockk *. Autocheck.exe is the boot-time version of Chkdsk. * causes an automatic check of each partition.

• Memory Management Key. After all of the checks have been successfully performed on the system's hard disks, Session Manager sets up the paging files defined in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PageFiles. When the partitions are checked and the paging files are setup, the CurrectControlSet and the Clone control set are written to the registry.
• DOS Devices Key. Next, the Session Manager creates symbolic links. These links direct certain classes of commands to the correct component in the file system.
• Subsystems Key. The last step performed by Session Manager is to load the required subsystems, as defined in the registry in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Required. The default is the Win32 subsystem.

Win32 Subsystem Start Phase

• When the Win32 subsystem starts, it automatically starts Winlogon.exe, which starts the Local Security Authority (Lsass.exe) and displays the CTRL+ALT+DEL logon dialog box.
• Next the Service Controller (Screg.exe) is run, which makes a final pass through the registry looking for services that are marked to load automatically, such as the Workstation and Server services. The services that are loaded during this phase are loaded based on their dependencies, that is, their DependOnGroup or DependOnService.

User Logs On

• The boot is not considered good until a user successfully logs on to the system.
• After a successful logon, the Clone control set is copied to the LastKnownGood control set.

Required Boot Files:

1. Windows NT boot disk must be formatted on a Windows NT computer so that the boot sector on the floppy disk can find and run Ntldr.
2. If computer is Intel x86-based, Boot.ini on boot disk may need to be modified to reflect the Advanced RISC Computing (ARC) path to system partition on the failed computer. The path includes disk controller, disk drive and partition for Windows NT system files.
3. After created, use it to start Windows NT. Only certain files are loaded from floppy disk. All others are accessed from the hard disk of computer. If NToskrnl.exe or other files on hard disk are corrupt, the boot disk will be of NO use until the file is restored.

Use the Emergency Repair Disk to restore missing or corrupt files.
 

• After a user successfully logs on to Windows NT, current configuration information from registry key HKEY_LOCAL_MACHINE is copied to the LastKnownGood control set.
• This is a copy of the most recent LastKnownGood control set used to successfully boot Windows NT.

Function of Last Known Good Configuration

• Windows NT provides two configurations in which you can start your computer
• Default. The configuration that was saved when you shut down the computer.
• Last known Good. The configuration the was saved when you last successfully logged on to your computer.
• When you logon, the Last Known Good Configuration is saved if the logon is successful. If unsuccessful, the Last Known Good is tried.

When to Use the Last Known Good Configuration

If NT is going to load, normally the default control set will load

• Two conditions that cause the system to load the last Known Good configuration.
• When the system is recovering from a severe or critical device driver loading error.
• When the Last Known Good configuration is selected during the boot process.

Use the Last Known Good control set to recover from the following types of problems

Use it to recover from following types of problems:

• After a new device driver is installed, Windows NT is restarted, but system stops responding.
• After a new video driver is installed and the system is restarted. However nothing is visible on the computer screen, because the new video resolution is incompatible with the video adapter.
• A critical device driver, such as the SCSI port driver, is accidentally disabled. Automatic.

Using it doesn't help in following situations:

• When problem is unrelated to changes in the control set information, such as might arise from incorrectly configured user profiles or file permissions.
• When logging on after making changes. The control set has been updated.
• When switching between different hardware profiles. LastKnownGood control set is only a method for switching between configuration information in the registry.
• When startup failures are caused by hardware failures or missing or corrupted files.

How to Use the Last Known Good Configuration

• Creating and Updating an Emergency Repair Disk

 

• Emergency Repair folder and disk are used to return a computer running Windows NT to the state of the last Emergency Repair update or to the state just after the Windows NT installation.
• Disk can repair missing or corrupt Windows NT files and restore the registry. Which include Security Accounts Manager (SAM) database, security information, disk configuration information, software registry entries and other system information.
• Repair Disk utility (Rdisk.exe) is located in Systemroot\System32, and has two options:

The Update Repair Info Option

• Overwrites files in systemroot\Repair folder. During the update process, a $$hive$$.tmp file is created, which temporarily stores registry information before it is copied to the appropriate file.
• After update the repair process prompts the user to create an Emergency Repair Disk. This option formats a floppy and then creates an Emergency Repair Disk
• This is the same result as selecting Create Repair Disk. Also copies of Autoexec.nt and Config.nt are placed in the folder.

Note: - This option deletes and creates files if Windows NT is installed on an NTFS partition, this user must have appropriate permissions.  One must be member of Administrators or Power Users group or have appropriate privileges. For others it seems to work, but with saving files you get an error message that not all files could be saved Repair Disk utility will not back up Default, SAM, or Security files, unless the /s parameter with rdisk command is specified.

Create Repair Disk Option

• prompts the user to insert a disk that can be formatted in drive A.
• If current repair disk is used, Create Repair Disk does not update the disk, but reformats it and creates new repair disk.

Soooo, a NEW REPAIR DISK ALWAYS CREATED.

Setup.log

• Is located in Emergency Repair folder and on the Emergency Repair disk. Setup.log is used to check the validity of the Windows NT files on the system.

Files Included on the Emergency Repair Disk
"._" means compressed version.

Decompress the compressed files with the expand utility.
 

• The original installation CD, in case any files are detected as missing or corrupt.
• If the SAM database is replaced, the Administrator Password stored on the ERD.
• If Emergency Repair Process failed to repair, you need to reinstall NT from the original installation source.
• To repair a Windows NT installation, Windows NT Setup needs either configuration information saved in systemroot\Repair folder or on Emergency Repair disk

The repair process in Windows NT Setup enables selection of what is to be repaired.
  Inspect Registry Files. Setup replaces one or more registry files with the files that were created when NT was first installed, or when the ERD was last updated. All changes made to the system since the last update to the repair files are lost. Inspect startup environment. Select this option if NT is installed but does not appear in the list of bootable systems. For this option, the ERD is needed. Verify Windows NT system files. Select this option to verify that each file in the installation is good and matches the files that was installed from the distribution files. The repair process also verifies that files need to start, such as Ntldr and NToskrnl.exe are present and valid. When the repair process determines that file on the disk does not match what was installed, it displays a message that identifies the file asks whether you want to replace it. Inspect boot sector. Select this option if no system that is installed on the computer boots. Setup copies a new boot sector the hard disk.

Common Boot Process Errors

• If the Ntldr file is missing, the following message appears before the Boot Loader Operating System Selection menu:

• If NTdetect.com is missing, the following message appears before the Boot Loader Operating System Selection menu:

• If NToskrnl.exe is missing, the following message appears after the Last Known Good prompt:

• If Bootsect.dos is missing, the following message appears before the Boot Loader Operating System Selection menu when user tries to boot an MS-DOS based system. Bootsect.dos contains partition information specific to the computer and cannot borrow from other computers

All above cases can be restored with Emergency Repair process.

• [boot loader]
• timeout
• the number of seconds to wait before continuing to load the default
• If you set timeout=0, the Boot Loader Operating System Selection menu may appear briefly or not at all.
• default
• The path to the default OS that will load when timeout reaches 0
• [operating systems]
• List of OSs displayed on Boot Loader Operating System Menu
• with ARC path info for loading.

• A New Operating System Appears on the Boot Loader Operating System Selection Menu. If the path name for the default parameter in the [boot loader]section of Boot.ini does not match an of the path names in the [operating system] section of Boot.ini, the menu selection "NT(default)" appears. This selection is highlighted and loads unless the user selects another operating system.

There are three situations when you get this message:

Windows NT could not start because the following file is missing or corrupt: <winnt root>\system32\ntoskrnl.exe

Please reinstall a copy of the above file.

1. Boot.ini is missing. Ntldr automatically tries to boot NT if NT is installed in the default folder of multi(0)disk(0)rdisk(0)partition(1)\Winnt or scsi(0)disk(0)rdisk(0)partition(1)\Winnt, Windows NT boots successfully. Otherwise, the following message appears
2. Invalid Windows NT Path Name. If the path anme to NT is incorrect in the Boot.ini file, the following message appears.
3. The NToskrnl.exe could actually BE missing or corrupt!

• Invalid Device in Windows NT Path. If there is an invalid device in the path to NT in the Boot.ini file, the following message appears:

You receive the following error message, find out what file is missing.

• One of the computers that support can no longer boot to DOS, even though it appears on the boot menu. Why? Probably the Bootsec.dos is corrupted.
• You created a NT boot disk that contains all the files as needed, but you get the following error message when you used it, Why.

• You change the settings for your network adapter card. When you reboot, you receive the following message: " One or more services failed to start." When you attempt to log on you receive a message stating that a domain controller could not be found, but you were logged on using cached credentials. After logging on, you found that you couldn't connect to network resources. You shut down your computer restart using the Last Known Good configuration, but the same behavior results. Why?

• You receive a call from someone who tells you that he forgot the administrator Password. He used ERD to restore the original administrator PW, and now no one else can log on to the system. Why and how to correct?

• You got the following error message. What went wrong?

Top of page

Comments and suggestions? E-mail me at grantwilson21@yahoo.com I'm sorry, but I can't answer specific network-related, or exam-related questions.
Last Updated: August 6, 2001	Grant Wilson, Edmonton, AB Canada