Shortly after win32k.sys starts, it switches the screen to graphics mode. A
little later, Winlogon starts the Services subsystem (\winnt\system32\services.exe), which loads all services and device drivers marked Auto Start. (The
Services subsystem is also known as the Service Control Manager--SCM.)
Auto Start drivers and services can specify a dependency on a specific service
by including a DependOnService value in their Registry keys in a manner similar
to the way boot drivers use the DependOnGroup value. The SCM sorts and then
initializes the Auto Start drivers and services according to their group and tag
values in the same way the I/O Manager sorts the boot- and system-start drivers.
After the SCM initializes the Auto Start services and drivers, it deems the
boot successful. The Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet becomes the Last Known Good control set, because the system
booted successfully to this point. Earlier in the boot, NT made a copy of this
subkey and named the copy HKEY_LOCAL_MACHINE\SYSTEM\CLONE. Any changes
drivers make to the current control set during the boot do not change the CLONE
subkey copy. The SCM copies the CLONE subkey to another control set subkey
(e.g., HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001), and the SCM marks that
control set subkey as Last Known Good. The SCM marks the subkey by setting the
HKEY_LOCAL_MACHINE\SYSTEM\Select\LastKnownGood value to specify the
three-digit identifier at the end of the control set's subkey name (e.g., 001).
If a user chooses to boot to the Last Known Good menu during the first steps of
a boot, or if a driver returns a severe or critical error, the system uses
the Last Known Good profile subkey as
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. Doing so increases the chances that
the system will boot successfully, because at least one previous boot using the
Last Known Good profile was successful.
At approximately the time the Services subsystem is starting networking
services, Winlogon presents users with the initial logon dialog box. That action
brings us to the end of the boot process.
Shutdown
In contrast to the boot process, system shutdown is straightforward. First, the Win32 subsystem informs all Windows applications that the system is going down. Most applications exit voluntarily, and Winlogon stops any stragglers. Winlogon is in charge of finishing the shutdown process by calling the Executive subsystem function NtShutdownSystem. This function calls the I/O Manager, the Configuration Manager, the Memory Manager, and then the I/O Manager again, and informs them that they should prepare for the shutdown.
The first time NtShutdownSystem calls the I/O Manager, the I/O Manager
sends shutdown I/O packets to all device drivers that have requested shutdown notification. This action gives device drivers a chance to perform any special processing their device might require before NT exits. The Configuration Manager flushes any modified Registry data to disk, and the Memory Manager writes all modified pages containing file data back to their respective files. If the option to clear the paging file at shutdown is enabled, the Memory Manager clears the paging file at this time. The second time NtShutdownSystem calls the I/O Manager, the I/O Manager informs the file system drivers that the system is shutting down. Finally, if the system's user specified a reboot after the shutdown, the system calls the HAL to reboot the computer.
We've arrived at shutdown for this month's column. This two-column series about the boot process is a roadmap with visual cues to the operations that take place behind the scenes when your system boots. Table 3 presents a summary of
boot-process components with their execution modes and responsibilities.
Understanding the details of the boot process helps you to diagnose problems that can arise during a boot, and gives you insight into the way NT pulls itself up by its bootstraps.