Boot Process in Windows:

Table of Contents

o
o
o
o

Boot Process Overview

BIOS Initialization
OS Loader
OS Initialization
Sub phase 1 - PreSMSS: Kernel Initialization
Sub phase 2 - SMSSInit : Session Initialization
Sub phase 3 - WinLogonInit: Winlogon Initialization
Sub phase 4 ExplorerInit: Explorer Initialization
The PostBoot phase
The ReadyBootPrefetcher
Additional references

Boot Process Overview

Fast OS startup performance is critical for a good user experience. The time required to boot the
operating system on a given computer to the point where the user can start working is one of the most
important benchmarks for Windows client performance. The Windows boot process consists of several
phases which are explained in more detail by the picture and supporting text below.

The Windows Performance Toolkit (included in the Windows 7.1 SDK

of the boot phases (except for BIOS Initialization and OS Loader).

) allows you to investigate most

BIOS Initialization
During the BIOS Initialization phase, the platform firmware identifies and initializes hardware devices,
and then runs a power-on self-test (POST). The POST process ends when the BIOS detects a valid
system disk, reads the master boot record (MBR), and starts Bootmgr.exe. Bootmgr.exe finds and starts
Winload.exe on the Windows boot partition, which begins the OSLoader phase [1].

OS Loader
During the OSLoader phase, the Windows loader binary (Winload.exe) loads essential system drivers
that are required to read minimal data from the disk and initializes the system to the point where the
Windows kernel can begin execution. When the kernel starts to run, the OSloader loads the system
registry hive and additional drivers that are marked as BOOT_START into memory. [1]

This phase is mainly impacted by boot start drivers. While a delay caused by a dual boot menu would
be easy to fix, make sure that all boot start drivers are signed and up-to-date.
To identify boot start drivers which are not signed:
1.

Create a boot trace using the Windows Performance Toolkit. For more information about how to
create a trace, see slow boot and logon analysis articles for analysis.

2.

Run xperf i <boottrace.etl> -o bootevents.txt a dumper

3.

Findstr /C:I-DCStart bootevents.txt > bootevents.csv

4.

Open the bootevents.csv using Excel and run signtool verify /v <driver>
Signtool.exe is part of the Windows SDK

5.

If you find a driver which is not signed, look for driver updates.

OS Initialization
During the OS Initialization phase, most of the operating system work occurs. This phase involves
kernel initialization, Plug and Play activity, service start, logon, and Explorer (desktop) initialization.
The OS Initialization can be divided into four subphases. Each subphase has unique characteristics and
performance vulnerabilities. [1]
After you have taken a boot trace the different subphases are shown as follows in XPERFVIEW.EXE:

Sub phase 1 - PreSMSS: Kernel Initialization

The PreSMSS subphase begins when the kernel is invoked. During this subphase, the kernel
initializes data structures and components. It also starts the PnP manager, which initializes the
BOOT_START drivers that were loaded during the OSLoader phase. [1]

Sub phase 2 - SMSSInit : Session Initialization

The SMSSInit subphase begins when the kernel passes control to the session manager process
(Smss.exe). During this subphase, the system initializes the registry, loads and starts the
devices and drivers that are not marked BOOT_START, and starts the subsystem processes.
SMSSInit ends when control is passed to Winlogon.exe. [1]

Sub phase 3 - WinLogonInit: Winlogon Initialization

The WinLogonInit subphase begins when SMSSInit completes and starts Winlogon.exe. During
WinLogonInit, the user logon screen appears, the service control manager starts services, and
Group Policy scripts run. WinLogonInit ends when the Explorer process starts. [1]

Sub phase 4 ExplorerInit: Explorer Initialization

The ExplorerInit subphase begins when Explorer.exe starts. During ExplorerInit, the system
creates the desktop window manager (DWM) process, which initializes the desktop and
displays it for the first time. [1]
A detailed analysis of each phase would go far beyond the scope of this article. The analysis always
starts with a boot analysis trace created with the Windows Performance Toolkit, which is described in
the Windows On/Off Transition Performance Analysis Whitepaper . Common performance
vulnerabilities are described in the whitepaper as well.

What is Windows Boot Manager?

Windows Boot Manager (BOOTMGR) is a small piece of software, called a boot

manager, that's loaded from the volume boot code, part of the volume boot record.
BOOTMGR helps your Windows 10, Windows 8, Windows 7, or Windows
Vista operating systemstart.

BOOTMGR eventually executes winload.exe, the system loader used to continue the
Windows boot process.

Where is Windows Boot Manager (BOOTMGR) Located?

Configuration data required for BOOTMGR can be found in the Boot Configuration Data
(BCD) store, a registry-like database that replaced the boot.ini file used in older versions
of Windows like Windows XP.
The BOOTMGR file itself is both read-only and hidden and is located in the root
directory of thepartition marked as Active in Disk Management. On most Windows
computers, this partition is labeled as System Reserved and does not have a drive letter.
If you don't have a System Reserved partition, BOOTMGR is probably located on your
primary drive, usually C:.

How to Manually Repair Windows 7 Boot Loader Problems

1.
2.
3.
4.
5.
6.
7.

Boot From the Windows Install Disc

Go to Repair your computer
Choose the correct installation
Choose command prompt as recovery tool
To restore the MBR run bootrec /fixmbr
To write a new boot sector onto the system partition bootrec /fixboot

Replacing the Windows XP Bootloader with Windows 7

bootsect /nt60 all
8. If you want to restore Windows XP back to the menu, you can open up a command
prompt in Windows 7 and run this command
bcdedit /create {ntldr} -d Windows XP

What Do GPT and MBR Do?

MBR (Master Boot Record) and GPT (GUID Partition Table) are two different ways of storing the
partitioning information on a drive. This information includes where partitions start and begin, so
your operating system knows which sectors belong to each partition and which partition is
bootable. This is why you have to choose MBR or GPT before creating partitions on a drive.
Windows can only boot from GPT on UEFI-based computers running 64-bit versions of
Windows 10, 8.1, 8, 7, Vista, and corresponding server versions. All versions of Windows 10,
8.1, 8, 7, and Vista can read GPT drives and use them for data they just cant boot from them
without UEFI
GPT:
- is not supported by WHS (Windows Home Server) backup
- It is associated with UEFI
- supports > 2 TiB partitions
- cannot be read by older versions of Windows
MBR:
- tops out at 2 TiB
- works with Win 2K --> Win 7 (in case you need to extract data after a system failure)
- works with WHS 2011 backup feature

Figure 1 shows the Windows 8.1 startup process.

Figure 1. Secure Boot, Trusted Boot, and Measured Boot block malware at
every stage
Secure Boot and Measured Boot are only possible on PCs with UEFI 2.3.1 and a TPM

chip. Fortunately, all PCs certified for use with Windows 8.1 have these components,
and many PCs designed for earlier versions of Windows have them, as well.
The sections that follow describe Secure Boot, Trusted Boot, ELAM, and Measured Boot.

BIOS (Basic Input/Output System)

BIOS is a type of firmware used to perform hardware initialization during the

booting process and to provide runtime services for O.S and programs
It loads a boot loader or an operating system from a mass memory device.
The BIOS additionally provides an abstraction layer for the hardware, i.e., a consistent way
for application programs and operating systems to interact with the keyboard, display, and
other input/output (I/O) devices.

Difference between FAT & NTFS File

Systems
FAT File system

It provides no security if the user logs in locally. The file and folder level
security permission does not exist.

It supports only 8 characters long file name.

It is suitable for a partition disks that is less than 500 MB.

Partition and file size can be up to 4 GB.

It supports no file compression.

Disk can get fragmented thus slowing down the access.

It is not very reliable since it does not support bad cluster mapping.

NTFS File system

It provides security for both local and remote users. The security is
provided to the level of files and folders.

It supports 255 characters long file name.

It is suitable for partition that is greater than 500 MB.

Partition size can be up to 16 Exabyte.

It supports file compression.

It provides lesser possibility of fragmentation.

It is highly reliable since it supports bad cluster mapping and transaction

logging.

ReFS as primary file system

The Resilient File System (ReFS) is another feature that was
introduced with Windows 8 and Windows Server 2012. Designed
from the beginning to be more resistant to corruption than its
predecessor, ReFS brings many advantages to the NTFS on-disk
format. Microsoft has elevated both the usefulness and the
importance of ReFS in Windows Server 2016 TP2 by making it
the preferred file system for Hyper-V workloads.