Windows Boot Transition
Guillermo here, back again with another article.
This time around it's about Windows boot transition, from the top of my head this is for Windows 7, 8 and Windows 10 1503-not sure yet.
So I've made notes about it, because it's difficult to find on the internet and right now I am publishing it. Article might be difficult to read, since I came directly from my OneNote, Keep and Evernote.
Enjoy.
Applies to Windows version
- Windows 7
- Windows 8
- Windows 8.1
- Windows 10 1503 or something. (Not sure)
Boot Transition
Operating system initialization and device and driver initialization involve a lot of code and complicated interaction. Because system resources are taxed during boot, reducing resource usage as much as possible is critical to eliminate bottlenecks and improve performance.
The boot transition can be divided into four high-level phases that are shown in Figure 2. A description of each phase is given, followed by a walkthrough of boot analysis.
Figure 2. High-level phases of the boot transition.
Boot Transition: BIOSInitialization Phase
What Happens in This Phase
During the BIOSInitialization phase, the platform firmware identifies and initializes hardware devices, and then runs a power-on self-test (POST). The POST process ends when the BIOS detects a valid system disk, reads the master boot record (MBR), and starts Bootmgr.exe. Bootmgr.exe finds and starts Winload.exe on the Windows boot partition, which begins the OSLoader phase.
Visual Cues
The BIOS splash screens and any POST-related messages appear during BIOSinitialization.
Boot Transition: The OSLoader Phase
What Happens in This Phase
During the OSLoader phase, the Windows loader binary (Winload.exe) loads essential system drivers that are required to read minimal data from the disk and initializes the system to the point where the Windows kernel can begin execution. When the kernel starts to run, the loader loads into memory the system registry hive and additional drivers that are marked as BOOT_START.
Visual Cues
This phase begins approximately when the BIOS splash and diagnostic screens are cleared and ends approximately when the “Loading Windows” splash screen appears.
Boot Transition: The MainPathBoot Phase
What Happens in This Phase
During the MainPathBoot phase, most of the operating system work occurs. This phase involves kernel initialization, Plug and Play activity, service start, logon, and Explorer (desktop) initialization. To simplify analysis, we divide the MainPathBoot phase into four subphases, as Figure 3 shows. Each subphase has unique characteristics and performance vulnerabilities.
Visual Cues
Visually, the MainPathBoot phase begins when the “Starting Windows” splash screen appears and lasts until the desktop appears. If auto-logon is not enabled, the time that elapses while the logon screen is displayed affects the measured boot time in a trace.
Figure 3. The MainPathBoot subphases.
MainPathBoot Phase: PreSMSS Subphase
What Happens in This Subphase
The PreSMSS subphase begins when the kernel is invoked. During this subphase, the kernel initializes data structures and components. It also starts the PnP manager, which initializes the BOOT_START drivers that were loaded during the OSLoader phase.
When the PnP manager detects a device, it loads and initializes the device’s drivers in the following sequence:
-
Detects a device.
-
Loads the drivers into memory and validates the driver signature.
-
Calls the DriverEntry function of the device driver. The driver code executes.
-
Sends an IRP_MN_START_DEVICE I/O request packet (IRP) to the driver, which notifies the driver to start the device. The driver code executes.
-
Sends the IRP_MN_QUERY_DEVICE_RELATIONS IRP to the driver to enumerate any child devices. The driver code executes.
The PnP manager repeats these steps for each enumerated child device. It continues to iterate through child devices until it has enumerated and initialized the full device tree.
Visual Cues
PreSMSS begins approximately when the “Loading Windows” splash screen appears. There are no explicit visual cues for the end of PreSMSS.
MainPathBoot Phase: SMSSInit Subphase
What Happens in This Subphase
The SMSSInit subphase begins when the kernel passes control to the session manager process (Smss.exe). During this subphase, the system initializes the registry, loads and starts the devices and drivers that are not marked BOOT_START, and starts the subsystem processes. SMSSInit ends when control is passed to Winlogon.exe.
Visual Cues
There are no explicit visual cues for the start of SMSSInit, but the blank screen that appears between the splash screen and the logon screen is part of SMSSInit. It ends before the logon screen appears.
MainPathBoot Phase: WinLogonInit Subphase
What Happens in This Subphase
The WinLogonInit subphase begins when SMSSInit completes and starts Winlogon.exe. During WinLogonInit, the user logon screen appears, the service control manager starts services, and Group Policy scripts run. WinLogonInit ends when the Explorer process starts.
Visual Cues
WinLogonInit begins shortly before the logon screen appears. It ends just before the desktop appears for the first time.
MainPathBoot Phase: ExplorerInit Subphase
What Happens in This Subphase
The ExplorerInit subphase begins when Explorer.exe starts. During ExplorerInit, the system creates the desktop window manager (DWM) process, which initializes the desktop and displays it for the first time.
This phase is CPU intensive. The initialization of DWM and desktop occurs in the foreground, while in the background the service control manager (SCM) starts services and the memory manager prefetches code and data. On most systems ExplorerInit is CPU bound, and timing issues are likely the result of a simple resource bottleneck.
Visual Cues
ExplorerInit begins just before the desktop appears for the first time. There is no clear visual cue to indicate the end of ExplorerInit.
Boot Transition: The PostBoot Phase
What Happens in This Phase
The PostBoot phase includes all background activity that occurs after the desktop is ready. The user can interact with the desktop, but the system might still be starting services, tray icons, and application code in the background. This phase is considered complete when Xperf data indicates that background activity has dropped to a reasonably idle level.
Done