Inside the Boot Process, Part 1

Understand NT's initialization sequence

The boot process is the first of three major phases Windows NT goes through during one cycle of normal operation. The other phases are normal operation and shutdown. Although this column and other articles in Windows NT Magazine have extensively covered the details of NT's policies and mechanisms during normal operation, the boot process is not usually covered in depth (for a selection of these articles, see "Related Articles in Windows NT Magazine"). Even Microsoft's literature on the boot process, including Microsoft Windows NT Server 4.0 Resource Kit and Microsoft Windows NT Device Driver Kit, glosses over the details and presents a somewhat inaccurate picture of the steps NT goes through during a boot.

This month, I will begin a detailed tour through the NT boot process. I'll start at the point at which you install NT and proceed through the way NTLDR and NTDETECT execute. Device drivers are a crucial part of the boot process, so I'll present the way they control where in the boot they load and initialize. Next time, I'll describe how the Executive subsystems initialize, and then I'll show you how the Kernel launches the user-mode portion of NT by starting the Session Manager process, the Win32 subsystem, and the logon process. Along the way, I'll highlight the points at which various text appears on the screen to help you correlate the internal process with what you see when you watch NT boot.

Preboot
The NT boot process doesn't begin when you power on your computer or press the reset key. It begins when you install NT on your computer. At some point during the execution of NT's Setup program, NT prepares the system's primary hard disk with code that takes part in the boot process. Before I discuss what this code does, let me explain how and where NT places it on a disk. Since the early days of DOS, a standard has existed on x86 systems for the way physical hard disks are divided into logical disks. Microsoft operating systems (OSs) split hard disks into discrete areas known as partitions and use file systems (e.g., FAT, NTFS) to format each partition to be a logical drive. A hard disk can contain up to four primary partitions. Because this apportioning scheme would otherwise limit a disk to four logical drives, a special partition type, called an extended partition, further allocates up to four additional partitions within the primary partitions. Extended partitions can include extended partitions, which can contain extended partitions, and so on, making the number of drives an OS can place on a disk effectively infinite. Figure 1, page 60, gives an example of a hard disk layout.

Physical disks are addressed in units known as sectors. A hard-disk sector on an IBM-compatible PC is 512 bytes (sectors can be 1024 bytes on Alpha systems). Utilities that prepare hard disks for the definition of logical drives, including the DOS FDISK utility or the NT Setup program, write a sector of data called a Master Boot Record (MBR) to the first sector on a hard disk. The MBR includes a fixed amount of space that contains executable instructions and a table with four entries that define the locations of the primary partitions on the disk. When IBM-compatible computers boot, the first code they execute is called the BIOS, which is encoded into the computers' ROM. The BIOS reads the MBR off the first sector of a hard disk into memory and transfers control to the code in the MBR.

The MBRs that Microsoft partitioning tools write go through a similar process. First, an MBR's code scans through the primary partition table and locates the first partition with a flag that signals the partition is bootable. When the MBR finds at least one such flag, it reads the first sector from the flagged partition into memory and transfers control to code within the partition. The first sector of such a defined partition is called a boot sector.

OSs generally write boot sectors to disks without a user's involvement. For example, when NT Setup writes the MBR to a hard disk, it also writes a boot record to the first bootable partition of the disk. If you're familiar with the DOS SYS command, you've probably used it to manually write DOS boot sectors to disks. NT Setup checks to see whether the boot sector it will overwrite with an NT boot sector is a valid DOS boot sector. If the boot sector is a valid DOS boot sector, NT Setup copies the boot sector's contents to a file named bootsect.dos in the root directory of the partition. I'll discuss the role bootsect.dos plays in dual-boot environments shortly.

Before writing a partition's boot sector, NT Setup ensures that the partition is formatted with a file system that NT supports, such as FAT and NTFS (NT 5.0 will also support FAT32). NT Setup formats the boot partition--and any other partition with a file system type you specify. If partitions are already formatted, you can instruct Setup to leave them alone. After Setup formats the boot partition, setup copies the files NT uses to the logical drive, including two files that are part of the boot sequence, NTLDR and ntdetect.com.

Another of Setup's roles is to create a boot menu file, boot.ini, in the root directory of the boot partition. This file contains options for starting the version of NT that Setup installs and any preexisting NT installations. If bootsect.dos contains a valid DOS boot sector, one of the entries boot.ini creates is to boot into DOS. Listing 1 shows an example boot.ini file from a dual-boot computer on which DOS is installed before NT.

Previous [1] 2 3 Next

Windows NT Magazine has proved to be an invaluable resource for me as an infrastructure analyst working with NT. Many articles have provided guidance just when I’m ready to implement a solution.
Mark Russinovich’s NT Internals: “Inside the Boot Process, Part 1” (November 1998) contains an error in the last paragraph on page 59. The author writes, “For example, when NT Setup writes the MBR to a hard disk, it also writes a boot record to the first bootable partition of the disk.” The correct term is boot sector, instead of boot record. Otherwise, the text implies that Master Boot Record (MBR) and a boot record exist.
The article also should have mentioned that a successful boot is one in which a successful logon has occurred, and only then is the recent boot saved as Last Known Good. 
—–James E. Haefele 

You’re correct; boot sector is the appropriate term. In “Inside the Boot Process, Part 2” (January 1999), I explain Last Known Good in detail. Briefly, it is a copy of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet that NT makes after all the auto start drivers and services have successfully initialized. This action doesn’t depend on anyone logging on. --Mark Russinovich 

James E. Haefele August 06, 1999

The major difference between 95/98 and NT is the use of the FDisk and the Format command. The article indicates that the Fdisk in 95/98 or the Setup program is the program that puts the IO.SYS or NTLDR "hooks" or reference into the boot sector of the disk. Actual what happerns in 95/98 the process is that FDisk defines the structure of the disk from the original "raw" disk state and either the command SYS or FORMAT /s allow the boot sector to be populated with the relevent hooks described above ie IO.SYS. In the NT environment there is no FDISK command or FORMAT with the switch /s. Thus every time the FORMAT command is used in NT it, by default inserts the "NTLDR" hooks in the boot sector so that the partition can be bootable. The actual boot process then looks for the first active partition as describe. This process is important to understand when you use NT Mirroring and discover that the boot sector has not been copied from the source disk.

Antony Urban April 02, 2000

The article was to me a curtain raiser.Especially when for a long time I wondered how multi-boot option works.I had few guesses but all were wrong.The MSDN DDK doen't describes these topics so well.I am thankful to you

Ashish Chauhan February 20, 2002

If I'm not mistaken, XP is an NT based OS, right? So when installing XP while previous OS's are installed, a bootsect.dos file should be created, right? I have three primary partitions on my one and only harddrive. the first is a fat16 partition with DOS5 installed on it. the second is a fat 32 with 98 installed on it. I have been using a linux boot disk to create my partitions. I booted to the linux boot disk to create a third partition. I gave it a fat 32 file system and installed XP on it. Before i installed XP on the third partition, I had to change my two previous partitions to obscure file systems (I chose the "Amoeba" file system) so XP wouldn't install overtop of the OS's installed on the fat16 or fat 32 file systems. After I installed XP, I booted back to the linux boot disk and changed my Amoeba file systems back to the original fat 16 and fat 32 that they were. my OS's are still intact. However, I couldn't find a bootsect.dos file in the root directory of my XP partition. Shouldn't XP contain this file so I can continue to boot into other partitions using XP's boot.ini? I added ARC lines to my boot.ini to see if I could get to my dos and 98 partitions that way. I get a message stating "missing hal.dll" when i choose either DOS or 98 from the XP boot menu. I know both DOS and 98 are still intact, I just can't get to them through XP, b/c I can't find the bootsect.dos file. Do you know what i could do to retrieve my DOS and 98 boot partitions? Email at nyount@comcast.net

Nancy April 03, 2003

simplfy please

jack woods April 01, 2004

It was very useful. It has helped me a lot in understanding the cause of start up problems.

Anonymous User May 16, 2005 (Article Rating:

)

You must log on before posting a comment.

If you don't have a username & password, please register now.