5 장 Startup and Shutdown5 장 Startup and Shutdown
발표자 : 이용석발표일 : 2006 년 7 월 24 일
목 차목 차
Boot Process (x86/x64 계열만 )Troubleshooting Boot and Startup ProblemsShutdownConclusion
Boot Process 개괄 (1)Boot Process 개괄 (1)
BIOSMBRBoot sectorNtldr
Ntbootdd.sysloads Boot.iniHiberfil.sys on existing thisBoot.ini entry selectionif MS-DOS, bootsect.dosNtdetect.comdisplays “Staring Windows”
Boot Process 개괄 (2)Boot Process 개괄 (2)
kernel and HAL imagesSYSTEM registry hiveboot device driversfile system driverboot drivers
Ntoskrnlphase 0
Interrupts are disabledKiSystemStartup HalInitializeProcessor KiInitializeKernel
Boot Process 개괄 (3)Boot Process 개괄 (3)
ExpInitializeExecutive HalInitSystem memory manager object manager security reference monitor process manager prepare thread for phase 1 Plug and Play manager Idle loop
Boot Process 개괄 (4)Boot Process 개괄 (4)
phase 1NLSLPCWMICommand Server Thread
SmssWin32k.sys
WinlogonGINASCM
services, device drivers, Lsasslogon notification from GINAshell from GINAetc.
X86 and x64 Boot Process Components (1)X86 and x64 Boot Process Components (1)Component Process Execution responsibilities
Master Boot Record (MBR) code
16-bit real mode Reads and loads partition boot sectors
Boot sector 16-bit real mode Reads the root directory to load Ntldr
Ntldr 16-bit real mode and 32-bit or 64-bit protected mode; turns on paging
Reads Boot.ini, presents boot menu, and loads Ntoskrnl.exe, Bootvid.dll, Hal.dll, and boot-start device drivers. If a 32-bit installation is booted, switches to 32-bit protected mode; if a 64-bit installation is booted, switches to 64-bit long mode
Ntdetect.com 16-bit real mode Performs hardware detection for Ntldr
Ntbootdd.sys Protected mode Device driver used for disk I/O on SCSI and Advanced Technology Attachment(ATA) systems where the BIOS is not used
X86 and x64 Boot Process Components (2)X86 and x64 Boot Process Components (2)Component Process Execution responsibilities
Ntoskrnl.exe Protected mode with paging
Initializes executive subsystems and boot and system-start device drivers, prepares the system for running native applications, and runs Smss.exe
Hal.dll Protected mode with paging
Kernel-mode DLL that interfaces Ntoskrnl and drivers to the hardware
Smss Native application Loads Windows subsystem, including Win32k.sys and Scrss.exe, and starts Winlogon process
Winlogon Native application Starts the service control manager (SCM), starts the Local Security Subsystem (LSASS), and presents interactive logon dialog box
Service control manager (SCM)
Native application Loads and initializes auto-start device drivers and Windows services
BIOS (Basic Input/Output System)BIOS (Basic Input/Output System)
Encoded into the computer’s ROMSelects a boot deviceReads that device’s MBR into memoryTransfers constol to the code in MBR
MBR (Master Boot Record)MBR (Master Boot Record)
Scans the primary partition table for bootable partitionReads boot sector into memory and transfers control
Boot sectorBoot sector
각 file system 별로 다른 boot sector code 가 필요Read-only & root-directory-capable file systemReads Ntldr into memory from the root directory of the system volumeTransfers control to Ntldr’s entry pointIf can’t find
“BOOT: Couldn’t find NTLDRP” for FAT“NTLDR is missing” for NTFS
NTLDR (1)NTLDR (1)
Begins real modeNo virtual-to-physical translation of memory addressUse only the first 1MB memory
Switch the system to protected modeStill no virtual-to-physical translationFull 32bits of memory address becomes accessibleCan access all of physical memory
Creating enough page tables to make memory below 16MB accessible with paging turned onEnables paging
Boot-code functions briefly switch off paging ‘cause depends on BIOS for IDE and displayFor non-IDE (ie. SCSI), loads Ntbootdd.sys which is a copy of the SCSI miniport driver
NTLDR (2)NTLDR (2)
Reads the boot.ini using built-in file system code.
Like the boot sector’s code, read-onlyBut can read subdirectories
Clear screenIf there is a valid Biberfil.sys in the root of the system volume
Read itTransferring control to code in the kernel that resumes a hibernated systemHiberfil.sys will be valid only if the last time the computer was shut down it was hibernatedSee Chapter 11 for information on hibernation
NTLDR (3)NTLDR (3)
If there is more that one boot-selection entry in boot.ini
presents the user with the boot-selection menu
Selection entries in boot.inidirect Ntldr to the partition on which the Windows system directoryThis partition is the boot partition or another primary partition
If the boot.ini entry refers to and MS-DOS installation
By referring to C:\ as system partitionReads the bootsect.dos into memorySwitches back to 16-bit read modeCalls the MBR code in Bootsect.dosContinues an MS-DOS-specific boot
NTLDR (4)NTLDR (4)
Boot optionsCan included on entries in boot.iniBootcfg.exe tool: setting a number of the switchesSave to the registry value HKLM\System\CurrentControlSet\Control\SystemStartOptions
If doesn’t selected within timeout periodChooses the default selection“default=“ line 에서 설정한 path 와 matching 되는 path 를 가진 첫 entry
Loads and executes Ntdetect.com16-bit real-mode programUses a system’s BIOS to query the computer for basic device and configuration information
NTLDR (5)NTLDR (5)
The time and date information stored in the system’s CMOSThe types of buses on the system and identifiers for devices attached to the busThe number, size, and types of disk drivers on the systemThe types of mouse input devices connected to the systemThe types of parallel ports configured on the systemThe types of video adapters present on the systemThis information will be stored under the HKLM\HARDWARE\DESCRIPTION registry key later in the boot
Loads boot driversWindows 2000: displays the “Starting Windows”Windows XP and Windows Server 2003: presents a logo splash screen
NTLDR (6)NTLDR (6)
If on an x64 system and kernel for x64Switches the processor to long mode (native word size is 64bit)
Loading the files from the boot volumeNeeded to start the kernel initializationThe boot volume corresponds to the partition on which the system directory
Loads the appropriate kernel and HAL imagesBy default, Ntoskrnl.exe and Hal.dll)If fails: prints the message “Windows could not start because the following file was missing or corrupt”, followed bye the name of the file
NTLDR (7)NTLDR (7)
Reads in the SYSTEM registry hive\Windows\System32\Config\SystemDetermine which device drivers need to be loaded to accomplish the boot
Scans the in-memory SYSTEM hive and locates all boot device driversBoot-device drivers
drivers necessary to boot the systemIndicated in the registry by a start value of SERVICE_BOOT_START(0)
(ex: HKLM\SYSTEM\CurrentControlSet\Services\dmio\Start)
NTLDR (8)NTLDR (8)
Adds the file system driverThe type of partition on which the installation directory residesMust load this driver at this timeIf it didn’t, that would introduce a circular dependency
Loads the boot driversTo avoid circular dependencyDisplay a progress bar to indicate the progress of the loading/SOS switch: displays the filenames of each boot driver instead of progress bar
Prepares CPU registers for the execution of Ntoskrnl.exe
Boot options (1)Boot options (1)
Boot Qualifier Meaning
/3GB Increases the size of the user process address space from 2 GB to 3 GB (and therefore reduces the size of system space from 2 GB to 1 GB). Giving virtual-memory-intensive applications such as database servers a larger address space can improve their performance. For an application to take advantage of this feature, however, two additional conditions must be met: the system must be running Windows XP, Windows Server 2003, Windows 2000 Advanced Server, or Datacenter Server; and the application .exe must be flagged as a 3-GB-aware application (applies to 32-bit systems only). (See the section "Address Space Layout" in Chapter 7 for more information.)
/BURNMEMORY=
Causes Windows to write a log of the boot to the file %System-Root%\Ntbtlog.txt
/BURNMEMORY=
Specifies an amount of memory Windows can't use (similar to the /MAXMEM switch). The value is specified in megabytes. Example: /BURNMEMORY=128 would indicate that Windows can't use 128 MB of the total physical memory on the machine.
/DEBUG Enables kernel-mode debugging
Boot options (2)Boot options (2)
Boot Qualifier Meaning
/FASTDETECT Default boot option for Windows. Replaces the Windows NT 4 switch /NOSERIALMICE. The reason the qualifier exists (vs. just having NTDETECT perform this operation by default) is so that NTDETECT can support booting Windows NT 4. Windows Plug and Play device drivers perform detection of parallel and serial devices, but Windows NT 4 expects NTDETECT to perform the detection. Thus, specifying /FASTDETECT causes NTDETECT to skip parallel and serial device enumeration (actions that are not required when booting Windows), whereas omitting the switch causes NTDETECT to perform this enumeration (which is required for booting Windows NT 4).
/MAXMEM= Limits Windows to ignore (not use) physical memory beyond the amount indicated. The number is interpreted in megabytes. Example: /MAXMEM=32 would limit the system to using the first 32 MB of physical memory even if more were present.
/SOS Causes Windows to list the device drivers marked to load at boot time and then to display the system version number (including the build number), amount of physical memory, and number of processors
Ntoskrnl (1)Ntoskrnl (1)
ReceivesA copy of the selected line in boot.iniA pointer to the memory tables
Ntldr generated to describe the physical memory on the system
A pointer to the in-memory copy of the HARDWARE and SYSTEM registry hiveA pointer to the list of boot drivers
Two-phase initialization processMost executive subsystem initialization functions takes a parameter that identifies which phase is executing
Ntoskrnl (2)Ntoskrnl (2)
main// start phase 0disable interruptsKiSystemStartup
HalInitializeProcessorKiInitializeKernel On boot CPU only, systemwide kernel
initialization ExpInitializeExecutive HalInitSystem On boot CPU, processing the /BURNMEMORY phase 0 Initialization routines for 5 managers proceeds to Idle loop
// end of phase 0
Ntoskrnl (3)Ntoskrnl (3)
Phase 0Interrupts are disabledTo build the rudimentary structures required to allow the services needed in phase 1 to be invokedCalls KiSystemStartup
calls HalInitializeProccessor and KiInitializeKernel for each CPU
KiInitializeKernelOn the boot CPU: performs systemwide kernel initializationOn other CPUs: calls ExpInitializationExecutive
ExpInitializationExecutiveresponsible for orchestrating phase 0Calls HAL function HalInitSystem
Ntoskrnl (4)Ntoskrnl (4)
ExpInitializationExecutive on boot CPUProcesses the /BURNMEMORY boot.ini switchDiscarding the amount of memory the switch specifies참고 : /MAXMEMCalls phase 0 initialization routines: Memory manager, object manager, security reference monitor, process manager, and Plug and Play manager
HalInitSystemGain system control before Windows performs significant further initializationPrepares the system interrupt controller of each CPU for interruptsConfigures the interval clock timer interrupt, which used for CPU time accounting (See Chapter 6 for more on CPU time accounting)
Ntoskrnl (5)Ntoskrnl (5)
Memory manager’s initializationConstructs page tablesPrepares internal data structures for basic memory servicesBuilds and reserves an area for the system file cacheCreates memory area for the paged and nonpaged pools
Object manager’s initializationDefines the objects that are necessary to construct the object manager namespaceCreates a handle table
Security reference monitor’s initializationInitializes the token type objectPrepare the first local system account token for assignment to the initial process (See chapter 8)
Ntoskrnl (6)Ntoskrnl (6)
Process manager’s initializationPerforms most of its initialization in phase 0Defines the process and thread object typessets up lists to track active processes and threadCreates the System process and a system thread to execute the routine Phase1Initialization (not started now, ‘cause interrupts are disabled)
Plug and Play manager’s initializationSimply initializes an executive resource used to synchronize bus resources
Ntoskrnl (7)Ntoskrnl (7)
Phase 1HalInitSystem
Prepare the system to accept interrupts from devicesEnable interrupts
Boot video driver\Windows\System32\Bootvid.dllWindows 2000: Displays the Windows startup screenWindows XP, 2003: presents the same graphic that Ntldr placed on the screen earlier in the boot
Power manager’s initializationThe system time is initialized (by HalQueryRealTimeClock) and then stored as the time the system bootedOn a multiprocessor system, the remaining processors are initialized and execution startsThe progress bar is set to 5 percent
Ntoskrnl (8)Ntoskrnl (8)
The object manager createsthe namespace root directory (\)\ObjectTypes directoryThe DOS device name mapping directory (\?? On Windows 2000, and \Global?? On Windows XP and Windows Server 2003)\DosDevices symbolic link that points at the DOS device name mapping directory
The executiveCreates the executive object types incluing semaphore, mutex, event, and timer
The kernel initializesscheduler (dispatcher) data structuresSystem service dispatch table
Ntoskrnl (9)Ntoskrnl (9)
The security reference monitorCreates the \Security directory in the object manager namespaceInitializes auditing data structures if auditing is enabled
The progress bar is set to 10 percentThe memory manager
Creates the section object and the memory manager’s system worker thread (explained in Chapter 7)
National language support (NLS) tables mapped into system spaceNtdll.dll is mapped into the system address spaceThe cache manager
Initializes The file system cache data structuresCreates its worker thread
Ntoskrnl (10)Ntoskrnl (10)
The configuration managerCreates the \Registry key object in the object manager namespaceCopies the initial registry data passed by Ntldr into the HARDWARE and SYSTEM hives
Global file system driver data structures are initializedThe Plug and Play manager calls the Plug and Play BIOSThe progress bar is set to 20 percentThe local procedure call (LPC) subsystem initializes the LPC port type objectIf the system was booted with boot logging (/BOOTLOG), the boot log file is initializedThe progress bar is set to 25 percent
Ntoskrnl (11)Ntoskrnl (11)
The I/O manager initializationInitializes various internal structuresCreates the driver and device object typesCalls the Plug and Play manager, power manager, and HAL to begin the various stages of dynamic device enumeration and initialization (See Chapter 9)Windows Management Instrumentation (WMI) is initialized (see Chapter 4)Boot-start drivers are called to perform their driver-specific initializationSystem-start device drivers are loaded and initialization (see Chapter 9)MS-DOS device names are created as symbolic links in the object manager’s namespace
Ntoskrnl (12)Ntoskrnl (12)
The progress bar is set to 75 percentIf the computer is booting in safe mode, this fact is recording in the registryUnless explicitly disabled in the registry, paging of kernel-mode code (in Ntoskrnl and drivers) is enabledThe progress bar is set to 80 percentThe power manager initialize various power management structuresThe progress bar is set to 85 percentThe security reference monitor creates the Command Server Thread that communicates with Lsass (see Chapter 8)The progress bar is set to 90 percentCreate the Session Manager subsystem (Smss)The progress bar is (finally) set to 100%
Ntoskrnl (13)Ntoskrnl (13)
Phase 1 initialization thread Waits for the handle to the Session Manager process with timeout value of 5 secondsIf does time out
the system crashes itself with a SESSION5_INITIALIZATION_FAILED bug check code
Elsethe Session Manager is assumed to have started successfullycalls the memory manager’s zero page thread function (explained in Chapter 7)
This system thread becomes the zero page thread for the remainder of the life of the system
Smss (1)Smss (1)
Considered as a trusted part of the operating system by WindowsSo, can perform actions such as creating security tokensIs a native application
Doesn’t use Windows APIsuses only core executive APIs, the Windows native APIBecause the Windows subsystem isn’t executing when Smss launches
Starts the Windows subsystemCalls the configuration manager executive subsystem
initializing the registry
Smss (2)Smss (2)
Fleshing the registry out to include all its keys
Configuration managerRecords the paths to the hives it loads in the HKLM\SYSTEM\CurrentControlSet\Control\hivelist key
Creates an LPC port object (\SmApiPort) and two threads to wait for client requests
Requests such as to load a new subsystem or create a session
Defines the symbolic links for MS-DOS device names
Such as COM1 and LPT1
If terminal service is installedCreates the \Sessions directory in the object manager’s namespace (for multiple sessions)
Smss (3)Smss (3)
Runs programs automaticallyDefined in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecutionTypically, boot-time version of Chkdsk (autochk)
Performs Delayed file rename and delete operations
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperationsHKLM\SYSTEM\CurrentControlSet\Control|Session Manager\PendingFileRenameOperations2
Opens known DLLsThe list of DLLs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs
Smss (4)Smss (4)
creates section objects for them in the \Knowndlls directory of the Object Manager namespace
Creates additional paging filesConfiguration: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles
Initialize the registryFleshes out the registry by loading the registry hives for the
HKLM\SAM, HKLM\SECURITY, and HKLM\SOFTWARE keys
Hive locations to look forHKLM\SYSTEM\CurrentControlSet\Control\hivelist\Windows\System32\Config (forced)
Smss (5)Smss (5)
Creates system environment variablesHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Enviornment
Loads the kernel-mode part of the Windows subsystem (Win32k.sys)
Path to it and its comoments: HKLM\SYSTEM\CurrentControlSet\Control\Session ManagerChanges from the VGA mode to the default resolution chosen for the system
Starts the subsystem processIncluding CsrssOn windows 2000, POSIX and OS/2 subsystems too
Starts the logon process (Winlogon)Create LPC ports for debug event messages (DbgSsApiPort and DbgUiApiPort) and thread to listen on those ports
Smss (6)Smss (6)
Pending File Rename OperationsExecutable images and DLLs are memory-mapped when they are usedImpossible to update core system files after Windows has finished bootingMoveFileEx has an option to specify that a file move be delayed until the next bootType: MULTI_SZValue syntax
Pairs of filenamesSource:\??\C:\Long Directory Name\Long File Name.exe Target: for delete ‘\u0000’
Smss (7)Smss (7)
Main thread in Smss waits forever for the process handles to Csrss and Winlogon
If either of these processes terminates unexpectedlyIn Windows 2000: Smss crashes the systemIf Csrss exits in Windows XP and 2003: the kernel crashes the system
Winlogon (1)Winlogon (1)
Creating the initial window station and desktop objectsIf a DLL specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GinaDLL
Uses that DLL as the GINA
Otherwise: uses the Microsoft default GINA, Msgina (\Windows\System32\Msgina.dll)
Displays the standard Windows logon dialog boxCreates the service control manager (SCM) process (\Windows\System32\Services.exe)
Loads all services and device drivers marked for auto-start
Winlogon (2)Winlogon (2)
Create the local security authentication subsystem (Lsass) process (\Windows\System32\Lsass.exe)See the section “Winlogon initialization in Chapter 8The registry last known good control set is updated to match \CurrentControlSet
After SCM initializes the auto-start services and driversAfter a user has successfully logged on at the consoleHKLM\SYSTEM\Select\LastKnowGood
Override the definition of a successful bootHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ReportBootOk to 0Custom boot verification program
HKLM\System\CurrentControlSet\Control\BootVerificationProgramCalls the NotifyBootConfigStatus
Winlogon (3)Winlogon (3)
Waits for an interactive logon notification from the GINAValidate the logon (see “User Logon Steps” in Ch 8)Loads the registry hive from the profile and maps it to HKCUSets the user’s environment variables
HKCU\Environment
Notifies that a logon has occurredHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\NotifyEx) AtiExtEvent
Winlogon (4)Winlogon (4)
Tells GINA to start the shellMsgina launches the executable or executables specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit (separated by commas)
By default: \Windows\System32\Userinit.exe
Userinit.exe performsthe user scripts
HKCU\Software\Policies\Microsoft\Windows\System\Scripts
the machine logon scriptsHKLM\Software\Policies\Microsoft\Windows\System\ScriptsBecause machine scripts run after user scripts, they can override user settings
Winlogon (5)Winlogon (5)
Starts \Windows\System32\Proquota.exeIf group policy specifies a user profile quotaTo enforce the quota for the current user
Launches the comma-separated shell or shellsHKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ShellBy default: Explorer.exe
Notifies registered network providers that a user has logged in
The Microsoft network provider, Multiple Provider Router(\Windows\System32\Mpr.dll), restores
The user’s persistent drive letter and printer mappingsStored in HCU\Network and HKCU\Printers, respectively
Images that Starts AutomaticallyImages that Starts Automatically
Default system components check and process for automatic process startup during boot and logon processMsconfig utility
Windows XP and Windows Server 2003 (\Windows\System32\Msconfig.exe)Displays the images configured by several of the locations
Sysinternal’s Autoruns tool
EXPERIMENT: AutorunsEXPERIMENT: Autoruns
Troubleshooting Boot and Startup Problems 목차Troubleshooting Boot and Startup Problems 목차
Windows boot-problem recovery modesLast known goodSafe modeRecovery console
Common boot problems
Windows boot-problem recovery modes (1)Windows boot-problem recovery modes (1)
Last Known Good (LKG)System’s configuration settings: HKLM\System\CurrentControlset\ControlDriver and service configuration: HKLM\System\CurrentControlSet\ServicesWhen booting with last known good menu selection
Marks the control set that failed by setting the HKLM\System\Select\Failed valueChanges HKLM\System\Select\Current to HKLM\System\Select\LastKnownGoodUpdates the symbolic link HKLM\System\CurrentControlSet to point at the LastKnowGood control setBecause the new driver’s key is not present, the system will boot successfully
Windows boot-problem recovery modes (2)Windows boot-problem recovery modes (2)
Safe ModeDevice driver crashes the machine during the boot sequence
Software and hardware configurations ca change over time
Concept Windows borrows from Consumer WindowsMinimal set of device drivers and services
Four safe-mode variationSafe ModeSafe Mode With NetworkingSafe Mode With Command PromptDirectory Services Restore mode – except Active Directory Service, can repair operations on the database
Windows boot-problem recovery modes (3)Windows boot-problem recovery modes (3)
Recovery ConsoleIn some situations a safe-mode boot won’t help the system boot
Ex) If a driver that prevents the system from booting is a member of a Safe groupEx) A third-party driver, such as a virus scanner driver, that loads at the boot prevents the system from booting. (Boot-start drivers)Ex) A system module or critical device driver file that is part of a safe-mode configuration becomes corrupt or when the system drive’s Master Boot Record (MBR)
Boot into a limited command-line shellfrom the Windows CD or boot disksto repair an installation without having to boot the installation
Solving Common Boot Problems (1)Solving Common Boot Problems (1)
MBR CorruptionSymptoms: execute the BIOS power-on self test (POST), display BIOS version information or OEM branding, switch to a black screen, and then hang. “Invalid Partition Table,” “Error Loading Operating System,” or “Missing Operating System.”Cause: hard-disk errors, driver bug while Windows is running, or intentional scrambling as a result of virusResolution: Boot into the Recovery Console and execute the fixmbr command. Replace executable code in the MBR. Cannot restore a damaged partition table
Boot Sector CorruptionBoot.ini MisconfigurationSystem File CorruptionSystem Hive CorruptionPost-Splash Screen Crash or Hang
Solving Common Boot Problems (2)Solving Common Boot Problems (2)
Windows File Protection (WFP)Within WinlogonImplemented in the two DLLs
\Windows\System32\Sfc.dll\Windows\System32\Sfc_os.dll
MonitorsSeveral directories for changes to key drivers, executables, and DLLs, including most subdirectories under \WindowsUsing the native API version of ReadDirectoryChangesW
The file is modified and isn’t MS-signed, rollback with DLLCache
If non-exist: checks in the network install path or in the setup media
Solving Common Boot Problems (3)Solving Common Boot Problems (3)
Creating diff between failed and current control set after LKG (Last Known Good)
Run Regedit, and select HKLM\System\CurrentControlSetSelect Export from the File menu, and save to a file named good.regOpen HKLM\System\Select, read the value of Failed, and select the subkey named HKLM\System\ControlXXX, where XXX is the value of FailedExport the contents of the control set to bad.regUse Wordpad (which is found under Accessories in the Start menu) to globally replace all instances of “CurrentControlSet” in good.reg with “ControlSet”Use Wordpad to change all instances of “ControlXXX” (replacing XXX with the value of the Failed control set) in bad.reg with “ControlSet”Run Windiff from the Support Tools, and compare the two files
Shutdown (1)Shutdown (1)
Logged-on user shutdown by calling ExitWindowsExA message to Csrss instructing it to perform shutdownCsrss
Terminating all the processes in the interactive user’s session
Shutdown (1)Shutdown (1)
Logged on user(A)
Csrss Winlogon
1. call
2,5,10. Shutdown msg
ExitWindowsEx
3. Shutdown msg(Logged on user A)
4. Call with special flag(each logged on user)
Processes owning Top-Level window
6. WM_QUERYENDSESSION
7. WM_ENDSESSION
Console Applications
8. CTRL_LOGOFF_EVENT
9. Call to terminateCOM processes related with interactive user’s session
COM processes
11. terminate
Shutdown (2)Shutdown (2)Csrss
For each the request from Winlogon(ie, for each interactive user, not the user who requested a shutdown)In reverse order of their shutdown level
set by calling SetProcessShutdownParametersFor each process that owns a top-level window
For each thread in the process that has a Windows message loop
Sends the WM_QUERYENDSESSION messageIf TRUE, the system shutdown can proceedSends WM_ENDSESSION Windows messageWaits the number of seconds defined in HKCU\Control Panel\Desktop\HungAppTimeoutTimeout! : displays the hung-program dialog box
Terminates the process
EXPERIMENT: Witnessing the HungAppTimeoutEXPERIMENT: Witnessing the HungAppTimeout
Shutdown (3)Shutdown (3)For each console application
Sends the CTRL_LOGOFF_EVENT eventIf FALSE: kills the processIf TRUE or doesn’t respond
HKCU\Control Panel\Desktop\WaitToKillAppTimeOutDisplays the hung-program dialog box
For request from Winlogon by ExitWindowsExTerminates any COM processes that are part of the interactive user’s session
Send messages to all the processes belonging to the system context
Shutdown (4)Shutdown (4)
Logged on user(A)
Csrss Winlogon
2. Shutdown msg
ExitWindowsEx
SCM
3. WM_QUERYENDSESSION
4. WM_ENDSESSION
GUI threads
5. CTRL_SHUTDOWN_EVENT
1. Call in the systemProcess context
Registered control handlers
6. Service shutdownControl message
Looks at all the
processes belonging
to the system context
Shutdown (5)Shutdown (5)
Although Csrss performs the same timeouts as when it was terminating the user process
Doesn’t display any dialog boxesDoesn’t kill any processesSimply allow system processes a chance to clean up and exit before the system shutdownMany system processes are in fact still running when the system shuts down: Smss, Winlogon, SCM, Lsass, etc.
After Csrss has finished its pass notifying system processes that the system is shutting down
Shutdown (6)Shutdown (6)
Winlogon NtShutdownSystem
NtSetSystemPowerState
3. Orchestrate shutdown
1. call
drivers
2. call
The rest ofthe executive subsystems
Plug and Play manager,
Power manager,Executive,
I/O manager,Configuration
manager,Memory manager
Shutdown (7)Shutdown (7)
System shutdown ends in the power manager.
A shutdown, a reboot, or a power down
ConclusionConclusion
The detailed steps involved in starting and shutting down WindowsWe’re ready to explorer the individual executive components in more detail, starting with processes and threads.