Windows 启动的幕后过程

null Windows 启动的幕后过程 Windows 启动的幕后过程喻 勇, PMP/MCSE 微软特约讲师 yy@yuyong.net 讲义下载：www.yuyong.net null课程简介课程简介深入了解Windows的启动过程 掌握解决启动常见问题的技巧 启动时系统崩溃或者死机 启动过程中的错误信息 登陆过程中的故障排除 启动故障的常见原因 第三方驱动程序或者应用程序 由于硬件故障引起的系统文件崩溃 向重装系统说再见第一部分第一部分Windows系统架构 系统启动过程详述 Boot.ini重要参数null设备驱动程序图形 子系统虚拟内存 管理器进程线程 管理器安全 子系统高速缓冲 管理器I/O管理器Hardware interfaces (buses, I/O, interrupts, timers, clocks, DMA, cache control, etc.)ReplicatorAlerter服务控制器WinLogonRPC环境子系统 用户应用程序子系统DLLsPOSIXOS/2会话管理器系统进程服务应用程序文件系统对象管理器 / Executive RTLWindows内核硬件抽象层 (HAL)事件日志用户模式系统线程内核模式执行体APIWin32NTDLL.DLL电源管理器即插即用管理器WMI管理器Windows系统架构启动过程的重要术语启动过程的重要术语在系统安装过程中，写入了启动的主要文件和代码 系统卷(System volume): Master Boot Record (MBR) Boot sector NTLDR – NT Boot Loader NTDETECT.COM BOOT.INI SCSI driver – Ntbootdd.sys 启动卷(Boot volume): System files – %SystemRoot%: Ntoskrnl.exe, Hal.dll, etc.启动过程启动过程系统加电，读取主引导扇区(MBR) MBR中包含了读取分区表的代码 X86系统的分区表有四个条目 第一个被标识为活动的分区为系统卷(system volume) MBR加载系统卷中的引导扇区 引导扇区(NT相关的) 读取系统卷根目录并加载NTLDR 注： MBR和引导扇区都是在系统安装时写入的 通过默认的磁盘定位来进行读取，不需要文件系统干预x86 and x64 Boot Processx86 and x64 Boot ProcessNTLDR (黑屏) 把系统从16位切换到32位，并开启内存分页(page) 如果启动卷(boot volume)是SCSI磁盘，则使用Ntbootdd.sys进行I/O操作 Ntbootdd.sys保存在系统卷上(system volume) 读取并分析Boot.ini文件 Boot.ini selections point to boot drive Specifies OS boot selections and optional switches (most for debugging/troubleshooting) that passed to kernel during boot 如果Boot.ini有多个条目，NTLDR显示选择菜单 如果用户选择启动64位Windows系统，NTLDR将CPU期换到64位模式 注： NTLDR启动后，如果在系统根目录下发现有Hiberfil.sys文件且该文件有效，那么NTLDR将读取Hiberfil.sys文件里的信息并让系统恢复到休眠以前的状态，这时并不处理Boot.ini文件。 在双启动的情况下，如果用户选择DOS，则NTLDR加载BOOTSECT.DOS，这是供DOS使用的引导扇区副本 http://soft.yesky.com/os/win/457/2285457.shtml 不得不说的Boot.ini不得不说的Boot.iniWindows中Boot.ini文件的作用 http://support.microsoft.com/kb/314081/zh-cn Boot.ini 文件的可用开关选项 http://support.microsoft.com/kb/833721/zh-cn http://www.sysinternals.com/information/bootini.html Bootcfg 命令及其用法讨论 http://support.microsoft.com/kb/291980/zh-cn 如何使用 /userva 和 /3GB 开关将用户模式空间调整为介于 2 GB 和 3 GB 之间的值 http://support.microsoft.com/kb/316739/ 启动过程(续)启动过程(续)NTLDR (cont) 完成Boot.ini引导选择以后，用户可以按F8进入高级启动选项 Last Known Good, Safe modes, hardware profile, Debugging mode NTLDR执行Ntdetect.com进行硬件和BIOS信息检测 启动后期会将检测结果保存到 HKLM\Hardware\Description NTLDR加载注册表SYSTEM hive (HKLM\System), 引导驱动程序, Ntoskrnl.exe, Hal.dll,并将控制权转交给Ntoskrnl.exe的入口函数 Boot driver: critical to boot process (e.g. boot file system driver) 注 在启动早期，Windows内核还没有完全初始化，这是仅仅加载最基本的驱动程序 NTLDR会加载启动卷(boot volume)文件系统驱动,以只读的方式访问系统启动需要的其他文件和子目录启动过程(续)启动过程(续)Ntoskrnl (屏幕显示Windows启动徽标) 通过两阶段来完成内核子系统的初始化 第一阶段完成对象定义(process, thread, driver, etc)和核心数据结构初始化 第二阶段完成对象初始化和子系统启动 这两个过程有随后成为”System Idle Process”的内核系统线程来完成 I/O Manager 按顺序加载”boot-start”驱动程序和”system-start”驱动程序 最后, Ntoskrnl创建会话管理器进程(Session Manager) (\Windows\System32\Smss.exe), 这是第一个用户态进程驱动程序的加载顺序驱动程序的加载顺序每个驱动程序的信息都保存在注册表中 HKLM\System\CurrentControlSet\Services 类型: 1 for driver, 2 for file system driver, others are Win32 services 启动方式: 0 = boot, 1 = system, 2 = auto, 3 = manual, 4 = disabled 察看驱动程序启动类型： Run LoadOrd from Sysinternals Run Msinfo32 and goto Software Environment\System Drivers Run Driverquery (/v for verbose)启动过程(续)启动过程(续)Smss.exe: 运行BootExecute中指定的程序，例如autochk,chkdsk等 处理“Delayed move/rename”命令 初始化paging files和其余的注册表项 加载并初始化内核模式中的Win32子系统 (Win32k.sys) 启动Csrss.exe (Win32子系统在用户模式的部分) 启动Winlogon.exe启动过程(续)启动过程(续)Winlogon.exe: 启动LSASS (Local Security Authority) 加载GINA (Graphical Identification and Authentication)并等待用户登录 默认GINA是Msgina.dll,可以自行开发GINA来实现基于生物信息的用户登录 启动Services.exe(后台服务管理器) Services.exe启动所有标识为自动启动的Win32服务程序 Windows启动完成！第二部分第二部分MBR corruption Boot sector corruption Boot.ini misconfiguration System file corruption Crashes or hangs Driver or service startup failure Logon problemsMBR CorruptionMBR CorruptionSymptoms: Hang at a black screen after BIOS executes “Invalid Partition Table”, “Error loading operating system” or “Missing operating system” message on black screen Cause: MBR is corrupt Resolution: Boot into Recovery Console Execute the RC’s “fixmbr” command If the partition table is corrupt you have to rely on restoring a backup MBR or use 3rd-party disk repair toolsThe Recovery ConsoleThe Recovery ConsoleDescription: Simple repair-oriented command-line environment Built on a minimal NT kernel Bootable from Win2K/XP/Server 2003 Setup CD Type “r” to repair and then select the installation Installable onto hard disk (winnt32.exe /cmdcons)The Recovery ConsoleThe Recovery ConsoleCapabilities: File commands: rename, move, delete, copy Service/Driver commands: listsvc, enable, disable MBR/Boot sector commands: fixmbr, fixboot Limitations: Must “log into” the system with the Administrator password Limits on what you can access: Only access system directory and root of non-removable media Can only copy files onto system, not off You can override these in the Local Security Policy editor (secpol.msc) on the installation when its running No networking, file editing, or registry editing Boot Sector CorruptionBoot Sector CorruptionSymptoms: Black screen hang “A disk read error occurred”, “NTLDR is missing” or “NTLDR is compressed” error message on black screen Cause: Boot sector corruption Troubleshooting: Boot into RC Execute “fixboot” commandBoot.ini ProblemsBoot.ini ProblemsSymptom: NTOSKRNL complains that boot device is inaccessible Cause: Boot.ini is missing or corrupt Boot.ini is out-of-date because a partition has been addedBoot.ini ProblemsBoot.ini ProblemsTroubleshooting: Boot into RC Run Bootcfg /rebuildSystem File CorruptionSystem File CorruptionSymptom: Error message indicating that NTLDR, NTOSKRNL.EXE, HAL.DLL or other system file is missing or corrupt Blue screen with corruption messageSystem File CorruptionSystem File CorruptionCauses: Disk is corrupt File is missing or corrupt Troubleshooting: Boot into RC Run Chkdsk If no chkdsk errors obtain clean copy of file and replace file Check in \Windows\System32\DLLCache for backup Replacement must be identical match i.e. from same hotfix or service pack If can’t find replacement use Automated System Recovery (ASR) Automated System Recovery (ASR)Automated System Recovery (ASR)Description: Backup of all system state and user data on system volume Includes registry, system files, boot sector, MBR Made by Windows Backup Boot into ASR from Windows setup (press F2 when prompted) and insert the ASR floppy Capabilities: Will restore entire system state, including boot sector, MBR, system files, and registry Limitations: You have to keep the backup up-to-date No control over granularity of restore (all-or-nothing) LAST Choice: Repair InstallSYSTEM Hive CorruptionSYSTEM Hive CorruptionSymptom: NTLDR reports that System hive is corrupt Causes: Disk is corrupt System hive is corrupted or deletedSystem Hive CorruptionSystem Hive CorruptionTroubleshooting: Boot into RC Run Chkdsk Copy backup copy of System hive from \Windows\Repair to \Windows\System32\Config Windows Setup makes backup after it completes **Backing up “System State” with Windows Backup update the Repair directory** Note: on XP you can get more recent hives from System Restore points (covered later)Post-Splash Screen Crash or HangPost-Splash Screen Crash or HangSymptoms: System blue screens on boot Hang before logon prompt appears NOTE: If system auto-reboots on crash you won’t see the blue screen! Causes: Buggy driver Registry corruption of non-System hive Troubleshooting: Last Known Good or Safe Mode or RCAccessing Last Known GoodAccessing Last Known GoodEnable it by pressing F8 and selecting it in the Advanced Options boot menuLKG DescriptionLKG DescriptionLast Known Good (LKG) Uses backup of registry control set last used to boot successfully A Control Set is core startup configuration HKLM\System\Control00n Control set only includes core OS and driver configuration Control set does not include Software, SAM, Security, or Users HKLM\System\Select\Current points at active Control Set LKG DescriptionLKG DescriptionBoot control makes a copy of the control set that booted the system Copy is ControlSet00n, where 00n is the next available number After a successful boot: 1. LastKnownGood is set to the copy 2.The previous LastKnownGood is deleted By default, “Successful boot” is determined when All the auto-start services have started successfully A successful interactive log in Can be overridden programmaticallyLKG CapabilitiesLKG CapabilitiesRestores bootable configuration when: A new driver was installed since the last successful boot A driver’s settings were modified since the last successful boot System settings were modified since the last successful bootLKG LimitationsLKG LimitationsDoesn’t work if: An existing driver was updated A latent driver bug for some reason becomes active Files or registry hives are missing or corruptLeveraging the Failed Control SetLeveraging the Failed Control SetWhen you use LKG the control set you avoid is saved as the Failed control set Look at the Failed value in the Select key – this is the control set that you aborted Export the current control set and failed control set to .reg files Massage the text so that there are no differences in the control set name Windiff or Fc to see what’s different Safe Mode DescriptionSafe Mode DescriptionTry Safe Mode if LKG doesn’t work Accessible from same boot menu as LKG Idea is to only include core set of drivers/services Modeled after Safe Mode in Windows 95 Avoids third-party and unnecessary drivers, which hopefully are what’s causing the boot problemSafe Mode DescriptionSafe Mode DescriptionHKLM\System\CurrentControlSet\Safeboot guides safe mode by specifying names and groups of drivers Normal, Network, Command-Prompt No networking in Normal Networking includes networking services Command-Prompt is same as Normal except launches Command Prompt instead of Explorer as shell for when Explorer shell extensions cause logon problems Directory Services Restore Mode: not for boot troubleshooting (for repairing or restoring Active Directory database from backup) Safe Mode InternalsSafe Mode InternalsRegistry keys guide what’s in safe modes: HKLM\System\CurrentControlSet\SafeBoot\Minimal is for Normal and Command-Prompt HKLM\System\CurrentControlSet\SafeBoot\AlternateShell specifies shell for Command-Prompt boot HKLM\System\CurrentControlSet\SafeBoot\Network is for Network Drivers and services must be listed by name or by group to be loaded Exception: all boot-start drivers load regardless! System assumes they are necessary to bootUsing Safe ModeUsing Safe ModeIf Safe Mode works determine what’s wrong: Compare boot logs Analyze a crash dump Boot logging: Select it from same menu as LKG and Safe Mode and boot to the failure Saves log in \Windows\Ntbtlog.txt Reboot in Safe Mode Safe Mode appends to the boot log Extract failed boot and Safe Mode entries to separate files, strip “Did not load driver” lines and compare e.g. Windiff, fcAnalyzing a Crash DumpAnalyzing a Crash DumpBoot into Safe Mode Download and install the Microsoft Debugging Tools for Windows Run Windbg and select File|Open Crash Dump Open \Windows\Memory.dmp if available, otherwise most recent file in \Windows\Minidump Type !analyze –v to see if debugger identifies faulty driverResolving the Faulty Driver IssueResolving the Faulty Driver IssueIf you can determine what driver is causing the problem: Roll back to a previous version if one is available and known to be stable or Disable it with Device Manager Note: can’t do this for non-PnP drivers: use the registry editorUsing Driver RollbackUsing Driver RollbackAccess the rollback option on the Driver tab of a device’s properties Backup drivers are stored in \Windows\System32\ReinstallbackupsDisabling DriversDisabling DriversOpen the Device Manager on the Hardware page of the System applet Change usage to Disabled Or use the SC command to change the start type of a specific driver Finding the Faulty DriverFinding the Faulty DriverThere are three approaches when you can’t determine what driver is causing the boot to fail: Use the Driver Verifier to catch the faulty driver Disable drivers that don’t load in Safe Mode one by one until the system boots normally Use System Restore (Windows XP only) as a last resortThe Driver VerifierThe Driver VerifierThe Driver Verifier catches drivers performing illegal operations: Buffer overflow Invalid memory access Invalid I/O commands Launch it with Start->Run->Verifier Enable the Driver Verifier on all drivers from within Safe Mode Choose “custom settings” and then “select individual settings” Check all settings except “low resource simulation” Boot normally and you’ll hopefully get a crash that is easy to analyze Note: the Driver Verifier is disabled in Safe ModeSystem Restore DescriptionSystem Restore DescriptionRollback system to previous state (registry, COM+ registration database, user profiles, other files not protected by WFP) New to XP (not included with Server 2003) Enabled by default Replacement of certain file types causes original version to be stored in a restore point folder 569 file types monitored—see Platform SDK for list Restore operation replaces these files Implemented as a service and a filter driver Access the System Restore Wizard from Start->Help and Support->System Restore Safe Mode asks when you log in if you want to run the wizardSystem Restore CreationSystem Restore CreationRestore Points are created: Every 24 hours no one is logged on Every 12 hours when someone is logged on When installing an unsigned driver When explicitly requested by user or an install program (via an API or script) Start->Help and Support -> System RestoreSystem Restore InternalsSystem Restore InternalsFile System Driver (NTFS/FAT)System Restore FilterApplicationsFile system requestChange.log1A0009653.exeA0009654.ini\System Volume Information\ _restore{XX-XXX-XXX }\ RP5User mode Kernel modeUsing System RestoreUsing System RestoreNote that you can also use restore points to obtain backup registry hivesWhen Safe Mode FailsWhen Safe Mode FailsSymptom: Safe mode crashes the same as a normal boot Causes: The driver causing the crash also loads in safe mode Troubleshooting: Determine the problematic driver: Boot into RC and look at the last line in the boot log Boot into debugging mode Disable it with the RC’s “disable” commandThe Logon ProcessThe Logon ProcessWinlogon sends username/password to Lsass Either on local system for local logon, or to Netlogon service on a domain Creates processes for executables listed in HKLM\Software\Microsoft\Windows NT \CurrentVersion\WinLogon\Userinit By default: Userinit.exe Runs logon script, restores drive-letter mappings, starts shell Userinit creates a process to run HKLM\Software\Microsoft\Windows NT \CurrentVersion\WinLogon\Shell By default: Explorer.exe There are other places in the Registry that control programs that start at logon Logon ErrorsLogon ErrorsRun MsConfig (XP and higher) Doesn’t show you lots of things Run Sysinternals Autoruns to see what applications automatically start Select “show only non-microsoft” to isolate third-party applicationsnullhttp://support.microsoft.com/kb/326841 http://support.microsoft.com/kb/324465 TechNet是什么?TechNet是什么?只需轻轻点击，答案就在您的指尖 对于IT 专业人员来说，TechNet 是一个知识的宝库，你可以找到关于如何规划，部署和管理微软产品的的技术资源每月发放包含最新信息的 DVD或者CD 这是最权威的资源，可以帮助你评估、配置和维护微软产品。订阅TechNet可以访问该站点 www.microsoft.com/china/technet 在线资源和社区 订户--仅仅提供在线服务TechNet 网站两周发放一次的中文电子快报 安全更新, 新的资源等等TechNet 中文电子快报有关最新微软产品介绍和技术的简报 上机试验, “如何操作”等信息TechNet 活动 和网站消息用户群 可管理的新闻组中文社区我们从哪里可以了解到 TechNet?我们从哪里可以了解到 TechNet?访问TechNet的官方网站 www.microsoft.com/China/technet 注册TechNet快报 www.microsoft.com/china/technet/abouttn/subscriptions/flash.mspx 加入到中文在线论坛 http://www.microsoft.com/china/community/ 成为 TechNet的订户 www.microsoft.com/china/technet 参与到更多的TechNet活动中或者在线了解 www.microsoft.com/china/technet null