 | This article includes a list of general references, but it lacks sufficient corresponding inline citations .(March 2024) |
 | The topic of this article may not meet Wikipedia's general notability guideline .(March 2024) |
The booting process of Microsoft Windows varies between different releases.
In Windows versions 1.01 to Windows 2.11, the system was loaded when WIN.COM was executed. It then loaded WIN100.BIN or WIN200.BIN and WIN100.OVL or WIN200.OVL, along with the configuration settings file WIN.INI . The default shell is the MS-DOS Executive.
The modules GDI.EXE, KERNEL.EXE and USER.EXE, fonts, and the various device drivers (such as COMM.DRV, MOUSE.DRV, KEYBOARD.DRV) are incorporated in WIN100.BIN/WIN200.BIN and WIN100.OVL/WIN200.OVL.
In Windows 3.x and 95/98/ME, the boot loader phase is handled by MS-DOS. During the boot phase, CONFIG.SYS and AUTOEXEC.BAT are executed, along with the configuration settings files WIN.INI and SYSTEM.INI . Virtual device drivers are also loaded in the startup process: they are most commonly loaded from the registry (HKLM\System\CurrentControlSet\Services\VxD) or from the SYSTEM.INI file.
MS-DOS starts WIN.COM. In Windows 3.x, the WIN.COM starts KRNL286.EXE (standard mode) or KRNL386.EXE (386 enhanced mode). In Windows 9x, the WIN.COM starts VMM32.VXD.
When all system configuration files and device drivers have been loaded, the 16-bit modules, KRNL386.EXE, GDI.EXE, and USER.EXE, are loaded, then the 32-bit DLLs (KERNEL32.DLL, GDI32.DLL, and USER32.DLL) are loaded. The 32-bit VxD message server (MSGSRV32) starts MPREXE.EXE, which is responsible for loading the network logon client (such as Client for Microsoft Networks, Microsoft Family Logon or Windows Logon).
When a user is logging on to Windows, the startup sound is played, the shell (usually EXPLORER.EXE) is loaded from the [boot] section of the SYSTEM.INI file, and startup items are loaded.
In all versions of Windows 9x except ME, it is also possible to load Windows by booting to a DOS prompt and typing "win". There are some command line switches that can be used with the WIN command: with the /D switch, Windows boots to safe mode, and with the /D:n switch, Windows boots to safe mode with networking. The latter switch only works properly with Windows 95. [1] In Windows 3.1, additional options are available, such as /3, which starts Windows in 386 enhanced mode, and /S, which starts Windows in standard mode [2]
A startup sound was first added in Windows 3.0 after installing the Multimedia Extensions (MME), [3] but not enabled by default until Windows 3.1.
 | This section needs expansionwith: notable, non-"how-to" material selected from this version of "Booting process of Windows NT", as per Wikipedia:Articles for deletion/Booting process of Windows NT. You can help by adding to it. (April 2024) |
In Windows NT, the booting process is initiated by NTLDR in versions before Vista and the Windows Boot Manager in Vista and later. [4] The boot loader is responsible for accessing the file system on the boot drive, starting ntoskrnl.exe, and loading boot-time device drivers into memory. Once all the boot and system drivers have been loaded, the kernel starts the session manager, which begins the login process. After the user has successfully logged into the machine, winlogon applies User and Computer Group Policy setting and runs startup programs declared in the Windows Registry and in "Startup" folders. [5]
In Windows 95/98/ME, it was also possible to run a program before the user logs on by using RunServicesOnce or RunServices keys. In Windows NT, this has been replaced by the services.exe program, which is able to load a set of system services before a user logs on. Additionally, in English-language versions of Windows, the startup folder was called "StartUp" instead of "Startup" in Win9x.
Due to the minimally restricted environment of these operating systems, any program can add itself to the Startup registry key or system folder. This method is frequently used by malware.
Windows 95 is a consumer-oriented operating system developed by Microsoft as part of its Windows 9x family of operating systems. The first operating system in the 9x family, it is the successor to Windows 3.1, and was released to manufacturing on July 14, 1995, and generally to retail on August 24, 1995, almost three months after the release of Windows NT 3.51. Windows 95 is the first version of Microsoft Windows to include the Modern Windows Feel Windows 95 merged Microsoft's formerly separate MS-DOS and Microsoft Windows products, and featured significant improvements over its predecessor, most notably in the graphical user interface (GUI) and in its simplified "plug-and-play" features. There were also major changes made to the core components of the operating system, such as moving from a mainly cooperatively multitasked 16-bit architecture to a 32-bit preemptive multitasking architecture, at least when running only 32-bit protected mode applications.
The Windows API, informally WinAPI, is the foundational application programming interface (API) that allows a computer program to access the features of the Microsoft Windows operating system in which the program is running.
NTLDR is the boot loader for all releases of Windows NT operating system from 1993 with the release of Windows NT 3.1 up until Windows XP and Windows Server 2003. From Windows Vista onwards it was replaced by the BOOTMGR bootloader. NTLDR is typically run from the primary storage device, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.
Windows 9x is a generic term referring to a series of Microsoft Windows computer operating systems produced from 1995 to 2000, which were based on the Windows 95 kernel and its underlying foundation of MS-DOS, both of which were updated in subsequent versions. The first version in the 9x series was Windows 95, which was succeeded by Windows 98 and then Windows Me, which was the third and last version of Windows on the 9x line, until the series was superseded by Windows XP.
AUTOEXEC.BAT is a system file that was originally on DOS-type operating systems. It is a plain-text batch file in the root directory of the boot device. The name of the file is an abbreviation of "automatic execution", which describes its function in automatically executing commands on system startup; the filename was coined in response to the 8.3 filename limitations of the FAT file system family.
In computing, a virtual address space (VAS) or address space is the set of ranges of virtual addresses that an operating system makes available to a process. The range of virtual addresses usually starts at a low address and can extend to the highest address allowed by the computer's instruction set architecture and supported by the operating system's pointer size implementation, which can be 4 bytes for 32-bit or 8 bytes for 64-bit OS versions. This provides several benefits, one of which is security through process isolation assuming each process is given a separate address space.
The Windows Registry is a hierarchical database that stores low-level settings for the Microsoft Windows operating system and for applications that opt to use the registry. The kernel, device drivers, services, Security Accounts Manager, and user interfaces can all use the registry. The registry also allows access to counters for profiling system performance.
The architecture of Windows NT, a line of operating systems produced and sold by Microsoft, is a layered design that consists of two main components, user mode and kernel mode. It is a preemptive, reentrant multitasking operating system, which has been designed to work with uniprocessor and symmetrical multiprocessor (SMP)-based computers. To process input/output (I/O) requests, it uses packet-driven I/O, which utilizes I/O request packets (IRPs) and asynchronous I/O. Starting with Windows XP, Microsoft began making 64-bit versions of Windows available; before this, there were only 32-bit versions of these operating systems.
Winlogon is the component of Microsoft Windows operating systems that is responsible for handling the secure attention sequence, loading the user profile on logon, creates the desktops for the window station, and optionally locking the computer when a screensaver is running. In Windows Vista and later operating systems, the roles and responsibilities of Winlogon have changed significantly.
A dynamic-link library (DLL) is a shared library in the Microsoft Windows or OS/2 operating system.
In computing, SUBST is a command on the DOS, IBM OS/2, Microsoft Windows and ReactOS operating systems used for substituting paths on physical and logical drives as virtual drives.
As the next version of Windows NT after Windows 2000, as well as the successor to Windows Me, Windows XP introduced many new features but it also removed some others.
ntoskrnl.exe, also known as the kernel image, contains the kernel and executive layers of the Microsoft Windows NT kernel, and is responsible for hardware abstraction, process handling, and memory management. In addition to the kernel and executive layers, it contains the cache manager, security reference monitor, memory manager, scheduler (Dispatcher), and blue screen of death.
The Session Manager Subsystem, or smss.exe, is a component of the Microsoft Windows NT family of operating systems, starting in Windows NT 3.1. It is executed during the startup process of those operating systems.
The Microsoft Windows operating system supports a form of shared libraries known as "dynamic-link libraries", which are code libraries that can be used by multiple processes while only one copy is loaded into memory. This article provides an overview of the core libraries that are included with every modern Windows installation, on top of which most Windows applications are built.
The Windows Boot Manager (BOOTMGR) is the bootloader provided by Microsoft for Windows NT versions starting with Windows Vista and Windows Server 2008. It is the first program launched by the BIOS or UEFI of the computer and is responsible for loading the rest of Windows. It replaced the NTLDR present in older versions of Windows.
The Client/Server Runtime Subsystem, or csrss.exe, is a component of the Windows NT family of operating systems that provides the user mode side of the Win32 subsystem. In modern versions of Windows, it is primarily involved with process and thread management, console window handling, side-by-side assembly loading and the shutdown process. Historically, it had also been responsible for window management and graphics rendering, however, these operations have been moved to kernel mode starting with Windows NT 4.0 to improve performance.
The Windows 9x series of operating systems refers to the monolithic kernel which powers these operating systems. The basic code is similar in function to MS-DOS. As a 16-/32-bit hybrid, it requires support from MS-DOS to operate.
Service Control Manager (SCM) is a special system process under the Windows NT family of operating systems, which starts, stops and interacts with Windows service processes. It is located in the %SystemRoot%\System32\services.exe executable. Service processes interact with SCM through a well-defined API, and the same API is used internally by the interactive Windows service management tools such as the MMC snap-in Services.msc and the command-line Service Control utility sc.exe. Terminating this file is used as a method of causing the Blue Screen of Death.
Sality is the classification for a family of malicious software (malware), which infects Microsoft Windows systems files. Sality was first discovered in 2003 and has advanced to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet to relay spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks to process intensive tasks. Since 2010, certain variants of Sality have also incorporated rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered one of the most complex and formidable forms of malware to date.
| Processes |  | ||||||
|---|---|---|---|---|---|---|---|
| Booting firmware |
| ||||||
| Hybrid firmware bootloader | |||||||
| Bootloaders |
| ||||||
| Partition layouts | |||||||
| Partitions | |||||||
| Utilities |
| ||||||
| Network boot | |||||||
| ROM variants | |||||||
| Related | |||||||
