1 / 65

5 장 Startup and Shutdown

5 장 Startup and Shutdown. 발표자 : 이용석 발표일 : 2006 년 7 월 24 일. 목 차. Boot Process (x86/x64 계열만 ) Troubleshooting Boot and Startup Problems Shutdown Conclusion. Boot Process 개괄 (1). BIOS MBR Boot sector Ntldr Ntbootdd.sys loads Boot.ini Hiberfil.sys on existing this

genero
Download Presentation

5 장 Startup and Shutdown

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. 5장 Startup and Shutdown 발표자: 이용석 발표일: 2006년 7월 24일

  2. 목 차 • Boot Process (x86/x64 계열만) • Troubleshooting Boot and Startup Problems • Shutdown • Conclusion

  3. Boot Process 개괄 (1) BIOS MBR Boot sector Ntldr Ntbootdd.sys loads Boot.ini Hiberfil.sys on existing this Boot.ini entry selection if MS-DOS, bootsect.dos Ntdetect.com displays “Staring Windows”

  4. Boot Process 개괄 (2) kernel and HAL images SYSTEM registry hive boot device drivers file system driver boot drivers Ntoskrnl phase 0 Interrupts are disabled KiSystemStartup HalInitializeProcessor KiInitializeKernel

  5. Boot Process 개괄 (3) ExpInitializeExecutive HalInitSystem memory manager object manager security reference monitor process manager prepare thread for phase 1 Plug and Play manager Idle loop

  6. Boot Process 개괄 (4) phase 1 NLS LPC WMI Command Server Thread Smss Win32k.sys Winlogon GINA SCM services, device drivers, Lsass logon notification from GINA shell from GINA etc.

  7. X86 and x64 Boot Process Components (1)

  8. X86 and x64 Boot Process Components (2)

  9. BIOS (Basic Input/Output System) • Encoded into the computer’s ROM • Selects a boot device • Reads that device’s MBR into memory • Transfers constol to the code in MBR

  10. MBR (Master Boot Record) • Scans the primary partition table for bootable partition • Reads boot sector into memory and transfers control

  11. Boot sector • 각 file system 별로 다른 boot sector code가 필요 • Read-only & root-directory-capable file system • Reads Ntldr into memory from the root directory of the system volume • Transfers control to Ntldr’s entry point • If can’t find • “BOOT: Couldn’t find NTLDRP” for FAT • “NTLDR is missing” for NTFS

  12. NTLDR (1) • Begins real mode • No virtual-to-physical translation of memory address • Use only the first 1MB memory • Switch the system to protected mode • Still no virtual-to-physical translation • Full 32bits of memory address becomes accessible • Can access all of physical memory • Creating enough page tables to make memory below 16MB accessible with paging turned on • Enables paging • Boot-code functions briefly switch off paging ‘cause depends on BIOS for IDE and display • For non-IDE (ie. SCSI), loads Ntbootdd.sys which is a copy of the SCSI miniport driver

  13. NTLDR (2) • Reads the boot.ini using built-in file system code. • Like the boot sector’s code, read-only • But can read subdirectories • Clear screen • If there is a valid Biberfil.sys in the root of the system volume • Read it • Transferring control to code in the kernel that resumes a hibernated system • Hiberfil.sys will be valid only if the last time the computer was shut down it was hibernated • See Chapter 11 for information on hibernation

  14. NTLDR (3) • If there is more that one boot-selection entry in boot.ini • presents the user with the boot-selection menu • Selection entries in boot.ini • direct Ntldr to the partition on which the Windows system directory • This partition is the boot partition or another primary partition • If the boot.ini entry refers to and MS-DOS installation • By referring to C:\ as system partition • Reads the bootsect.dos into memory • Switches back to 16-bit read mode • Calls the MBR code in Bootsect.dos • Continues an MS-DOS-specific boot

  15. NTLDR (4) • Boot options • Can included on entries in boot.ini • Bootcfg.exe tool: setting a number of the switches • Save to the registry value HKLM\System\CurrentControlSet\Control\SystemStartOptions • If doesn’t selected within timeout period • Chooses the default selection • “default=“ line에서 설정한 path와 matching되는 path를 가진 첫 entry • Loads and executes Ntdetect.com • 16-bit real-mode program • Uses a system’s BIOS to query the computer for basic device and configuration information

  16. NTLDR (5) • The time and date information stored in the system’s CMOS • The types of buses on the system and identifiers for devices attached to the bus • The number, size, and types of disk drivers on the system • The types of mouse input devices connected to the system • The types of parallel ports configured on the system • The types of video adapters present on the system • This information will be stored under the HKLM\HARDWARE\DESCRIPTION registry key later in the boot • Loads boot drivers • Windows 2000: displays the “Starting Windows” • Windows XP and Windows Server 2003: presents a logo splash screen

  17. NTLDR (6) • If on an x64 system and kernel for x64 • Switches the processor to long mode (native word size is 64bit) • Loading the files from the boot volume • Needed to start the kernel initialization • The boot volume corresponds to the partition on which the system directory • Loads the appropriate kernel and HAL images • By default, Ntoskrnl.exe and Hal.dll) • If fails: prints the message “Windows could not start because the following file was missing or corrupt”, followed bye the name of the file

  18. NTLDR (7) • Reads in the SYSTEM registry hive • \Windows\System32\Config\System • Determine which device drivers need to be loaded to accomplish the boot • Scans the in-memory SYSTEM hive and locates all boot device drivers • Boot-device drivers • drivers necessary to boot the system • Indicated in the registry by a start value of SERVICE_BOOT_START(0) (ex: HKLM\SYSTEM\CurrentControlSet\Services\dmio\Start)

  19. NTLDR (8) • Adds the file system driver • The type of partition on which the installation directory resides • Must load this driver at this time • If it didn’t, that would introduce a circular dependency • Loads the boot drivers • To avoid circular dependency • Display a progress bar to indicate the progress of the loading • /SOS switch: displays the filenames of each boot driver instead of progress bar • Prepares CPU registers for the execution of Ntoskrnl.exe

  20. Boot options (1)

  21. Boot options (2)

  22. Ntoskrnl (1) • Receives • A copy of the selected line in boot.ini • A pointer to the memory tables • Ntldr generated to describe the physical memory on the system • A pointer to the in-memory copy of the HARDWARE and SYSTEM registry hive • A pointer to the list of boot drivers • Two-phase initialization process • Most executive subsystem initialization functions takes a parameter that identifies which phase is executing

  23. Ntoskrnl (2) main // start phase 0 disable interrupts KiSystemStartup HalInitializeProcessor KiInitializeKernel On boot CPU only, systemwide kernel initialization ExpInitializeExecutive HalInitSystem On boot CPU, processing the /BURNMEMORY phase 0 Initialization routines for 5 managers proceeds to Idle loop // end of phase 0

  24. Ntoskrnl (3) • Phase 0 • Interrupts are disabled • To build the rudimentary structures required to allow the services needed in phase 1 to be invoked • Calls KiSystemStartup • calls HalInitializeProccessor and KiInitializeKernel for each CPU • KiInitializeKernel • On the boot CPU: performs systemwide kernel initialization • On other CPUs: calls ExpInitializationExecutive • ExpInitializationExecutive • responsible for orchestrating phase 0 • Calls HAL function HalInitSystem

  25. Ntoskrnl (4) • ExpInitializationExecutive on boot CPU • Processes the /BURNMEMORY boot.ini switch • Discarding the amount of memory the switch specifies • 참고: /MAXMEM • Calls phase 0 initialization routines: Memory manager, object manager, security reference monitor, process manager, and Plug and Play manager • HalInitSystem • Gain system control before Windows performs significant further initialization • Prepares the system interrupt controller of each CPU for interrupts • Configures the interval clock timer interrupt, which used for CPU time accounting (See Chapter 6 for more on CPU time accounting)

  26. Ntoskrnl (5) • Memory manager’s initialization • Constructs page tables • Prepares internal data structures for basic memory services • Builds and reserves an area for the system file cache • Creates memory area for the paged and nonpaged pools • Object manager’s initialization • Defines the objects that are necessary to construct the object manager namespace • Creates a handle table • Security reference monitor’s initialization • Initializes the token type object • Prepare the first local system account token for assignment to the initial process (See chapter 8)

  27. Ntoskrnl (6) • Process manager’s initialization • Performs most of its initialization in phase 0 • Defines the process and thread object types • sets up lists to track active processes and thread • Creates the System process and a system thread to execute the routine Phase1Initialization (not started now, ‘cause interrupts are disabled) • Plug and Play manager’s initialization • Simply initializes an executive resource used to synchronize bus resources

  28. Ntoskrnl (7) • Phase 1 • HalInitSystem • Prepare the system to accept interrupts from devices • Enable interrupts • Boot video driver • \Windows\System32\Bootvid.dll • Windows 2000: Displays the Windows startup screen • Windows XP, 2003: presents the same graphic that Ntldr placed on the screen earlier in the boot • Power manager’s initialization • The system time is initialized (by HalQueryRealTimeClock) and then stored as the time the system booted • On a multiprocessor system, the remaining processors are initialized and execution starts • The progress bar is set to 5 percent

  29. Ntoskrnl (8) • The object manager creates • the namespace root directory (\) • \ObjectTypes directory • The DOS device name mapping directory (\?? On Windows 2000, and \Global?? On Windows XP and Windows Server 2003) • \DosDevices symbolic link that points at the DOS device name mapping directory • The executive • Creates the executive object types incluing semaphore, mutex, event, and timer • The kernel initializes • scheduler (dispatcher) data structures • System service dispatch table

  30. Ntoskrnl (9) • The security reference monitor • Creates the \Security directory in the object manager namespace • Initializes auditing data structures if auditing is enabled • The progress bar is set to 10 percent • The memory manager • Creates the section object and the memory manager’s system worker thread (explained in Chapter 7) • National language support (NLS) tables mapped into system space • Ntdll.dll is mapped into the system address space • The cache manager • Initializes The file system cache data structures • Creates its worker thread

  31. Ntoskrnl (10) • The configuration manager • Creates the \Registry key object in the object manager namespace • Copies the initial registry data passed by Ntldr into the HARDWARE and SYSTEM hives • Global file system driver data structures are initialized • The Plug and Play manager calls the Plug and Play BIOS • The progress bar is set to 20 percent • The local procedure call (LPC) subsystem initializes the LPC port type object • If the system was booted with boot logging (/BOOTLOG), the boot log file is initialized • The progress bar is set to 25 percent

  32. Ntoskrnl (11) • The I/O manager initialization • Initializes various internal structures • Creates the driver and device object types • Calls the Plug and Play manager, power manager, and HAL to begin the various stages of dynamic device enumeration and initialization (See Chapter 9) • Windows Management Instrumentation (WMI) is initialized (see Chapter 4) • Boot-start drivers are called to perform their driver-specific initialization • System-start device drivers are loaded and initialization (see Chapter 9) • MS-DOS device names are created as symbolic links in the object manager’s namespace

  33. Ntoskrnl (12) • The progress bar is set to 75 percent • If the computer is booting in safe mode, this fact is recording in the registry • Unless explicitly disabled in the registry, paging of kernel-mode code (in Ntoskrnl and drivers) is enabled • The progress bar is set to 80 percent • The power manager initialize various power management structures • The progress bar is set to 85 percent • The security reference monitor creates the Command Server Thread that communicates with Lsass (see Chapter 8) • The progress bar is set to 90 percent • Create the Session Manager subsystem (Smss) • The progress bar is (finally) set to 100%

  34. Ntoskrnl (13) • Phase 1 initialization thread Waits for the handle to the Session Manager process with timeout value of 5 seconds • If does time out • the system crashes itself with a SESSION5_INITIALIZATION_FAILED bug check code • Else • the Session Manager is assumed to have started successfully • calls the memory manager’s zero page thread function (explained in Chapter 7) • This system thread becomes the zero page thread for the remainder of the life of the system

  35. Smss (1) • Considered as a trusted part of the operating system by Windows • So, can perform actions such as creating security tokens • Is a native application • Doesn’t use Windows APIs • uses only core executive APIs, the Windows native API • Because the Windows subsystem isn’t executing when Smss launches • Starts the Windows subsystem • Calls the configuration manager executive subsystem • initializing the registry

  36. Smss (2) • Fleshing the registry out to include all its keys • Configuration manager • Records the paths to the hives it loads in the HKLM\SYSTEM\CurrentControlSet\Control\hivelist key • Creates an LPC port object (\SmApiPort) and two threads to wait for client requests • Requests such as to load a new subsystem or create a session • Defines the symbolic links for MS-DOS device names • Such as COM1 and LPT1 • If terminal service is installed • Creates the \Sessions directory in the object manager’s namespace (for multiple sessions)

  37. Smss (3) • Runs programs automatically • Defined in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecution • Typically, boot-time version of Chkdsk (autochk) • Performs Delayed file rename and delete operations • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations • HKLM\SYSTEM\CurrentControlSet\Control|Session Manager\PendingFileRenameOperations2 • Opens known DLLs • The list of DLLs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

  38. Smss (4) • creates section objects for them in the \Knowndlls directory of the Object Manager namespace • Creates additional paging files • Configuration: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles • Initialize the registry • Fleshes out the registry by loading the registry hives for the • HKLM\SAM, HKLM\SECURITY, and HKLM\SOFTWARE keys • Hive locations to look for • HKLM\SYSTEM\CurrentControlSet\Control\hivelist • \Windows\System32\Config (forced)

  39. Smss (5) • Creates system environment variables • HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Enviornment • Loads the kernel-mode part of the Windows subsystem (Win32k.sys) • Path to it and its comoments: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager • Changes from the VGA mode to the default resolution chosen for the system • Starts the subsystem process • Including Csrss • On windows 2000, POSIX and OS/2 subsystems too • Starts the logon process (Winlogon) • Create LPC ports for debug event messages (DbgSsApiPort and DbgUiApiPort) and thread to listen on those ports

  40. Smss (6) • Pending File Rename Operations • Executable images and DLLs are memory-mapped when they are used • Impossible to update core system files after Windows has finished booting • MoveFileEx has an option to specify that a file move be delayed until the next boot • Type: MULTI_SZ • Value syntax • Pairs of filenames • Source:\??\C:\Long Directory Name\Long File Name.exe • Target: for delete ‘\u0000’

  41. Smss (7) • Main thread in Smss waits forever for the process handles to Csrss and Winlogon • If either of these processes terminates unexpectedly • In Windows 2000: Smss crashes the system • If Csrss exits in Windows XP and 2003: the kernel crashes the system

  42. Winlogon (1) • Creating the initial window station and desktop objects • If a DLL specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GinaDLL • Uses that DLL as the GINA • Otherwise: uses the Microsoft default GINA, Msgina (\Windows\System32\Msgina.dll) • Displays the standard Windows logon dialog box • Creates the service control manager (SCM) process (\Windows\System32\Services.exe) • Loads all services and device drivers marked for auto-start

  43. Winlogon (2) • Create the local security authentication subsystem (Lsass) process (\Windows\System32\Lsass.exe) • See the section “Winlogon initialization in Chapter 8 • The registry last known good control set is updated to match \CurrentControlSet • After SCM initializes the auto-start services and drivers • After a user has successfully logged on at the console • HKLM\SYSTEM\Select\LastKnowGood • Override the definition of a successful boot • HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ReportBootOk to 0 • Custom boot verification program • HKLM\System\CurrentControlSet\Control\BootVerificationProgram • Calls the NotifyBootConfigStatus

  44. Winlogon (3) • Waits for an interactive logon notification from the GINA • Validate the logon (see “User Logon Steps” in Ch 8) • Loads the registry hive from the profile and maps it to HKCU • Sets the user’s environment variables • HKCU\Environment • Notifies that a logon has occurred • HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Notify • Ex) AtiExtEvent

  45. Winlogon (4) • Tells GINA to start the shell • Msgina launches the executable or executables specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit (separated by commas) • By default: \Windows\System32\Userinit.exe • Userinit.exe performs • the user scripts • HKCU\Software\Policies\Microsoft\Windows\System\Scripts • the machine logon scripts • HKLM\Software\Policies\Microsoft\Windows\System\Scripts • Because machine scripts run after user scripts, they can override user settings

  46. Winlogon (5) • Starts \Windows\System32\Proquota.exe • If group policy specifies a user profile quota • To enforce the quota for the current user • Launches the comma-separated shell or shells • HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Shell • By default: Explorer.exe • Notifies registered network providers that a user has logged in • The Microsoft network provider, Multiple Provider Router(\Windows\System32\Mpr.dll), restores • The user’s persistent drive letter and printer mappings • Stored in HCU\Network and HKCU\Printers, respectively

  47. Images that Starts Automatically • Default system components check and process for automatic process startup during boot and logon process • Msconfig utility • Windows XP and Windows Server 2003 (\Windows\System32\Msconfig.exe) • Displays the images configured by several of the locations • Sysinternal’s Autoruns tool

  48. EXPERIMENT: Autoruns

  49. Troubleshooting Boot and Startup Problems 목차 • Windows boot-problem recovery modes • Last known good • Safe mode • Recovery console • Common boot problems

  50. Windows boot-problem recovery modes (1) • Last Known Good (LKG) • System’s configuration settings: HKLM\System\CurrentControlset\Control • Driver and service configuration: HKLM\System\CurrentControlSet\Services • When booting with last known good menu selection • Marks the control set that failed by setting the HKLM\System\Select\Failed value • Changes HKLM\System\Select\Current to HKLM\System\Select\LastKnownGood • Updates the symbolic link HKLM\System\CurrentControlSet to point at the LastKnowGood control set • Because the new driver’s key is not present, the system will boot successfully

More Related