Windows 2000 goes through a series of steps as it boots the computer. If everything is working, the user will not care much about the details of the process. However, when troubleshooting boot problems, it is helpful to understand how the boot process works. The Windows 2000 boot process occurs in five stages:

• The preboot sequence 
• The boot sequence 
• The kernel load 
• The kernel initialization 
• The logon process

Learning about the boot process and the files that are used in the stages of this process will help to effectively troubleshoot problems with the operating system.

Before looking at the details of the boot process, it might be a good idea to get a look at the files that are required to complete a successful boot and to see where these files must be located.

Step 1: Preboot Sequence
The first step in the Boot Process after the power is turned on to the computer is the Power On Self Test (POST). This is one thing that Windows 2000 and Windows 9x have in common (see Chapters 2, 11 and 12) and is actually something that every computer will do, regardless of its operating system. During the POST, a computer will test its memory and verify that it has all the necessary hardware, such as a keyboard, mouse, and so on. After the computer completes the POST it will allow for other adapter cards to run their own POSTs, such as a SCSI card for example. After the POST routine is complete, the computer will locate a boot device, and load the Master Boot Record (MBR) into memory, which in turn locates the active partition and loads it into memory. The MBR allows programs such as the Disk Operating System to load into RAM. Up to this point, the computer hardware has played an important role and without properly functioning, the operating system will not load. At this point the computer loads and initializes the NTLDR file, which is the operating system loader, and begins to load the operating system.

Step 2: Boot Sequence
Once the computer loads NTLDR, the boot sequence begins to gather information about hardware and drivers. NTLDR is the key component of this step. NTLDR uses the Ntdetect.com, Boot.ini, and Bootsect.dos files. The Bootsect.dos file will only be used in the event that the computer is set up to dual-boot. One major function provided by NTLDR is when it switches the processor into 32-bit flat memory mode. Until this point the computer was running in real mode, just like the old 8086/8088 CPUs (real mode is discussed in Chapter 4). Next, NTLDR starts the file system, either FAT or NTFS, so that it can read the files from the disk. NTLDR will now read the Boot.ini file, to enable the display of the boot menu on the screen. Now the user will be able to select which operating system to load if the computer is set to dual-boot. If an operating system other than Windows 2000 is selected, NTLDR then loads the bootsect.dos file and passes control, which then boots the other OS. If Windows 2000 is selected or if the computer is not dual booting then NTLDR runs Ntdetect.com, which will gather information about the computer hardware. It is also in this step that F8 can be pressed for troubleshooting and advanced startup options. Ntdetect.com will detect the following hardware components:

• Computer ID
• Bus/adapter type 
• Keyboard
• Com ports 
• Parallel ports
• Floppy disks
• SCSI adapters
• Mouse/pointing devices
• Floating-point coprocessor
• Video adapters

Once Ntdetect.com has collected the hardware information, NTLDR will load Ntoskrnl.exe and pass that information.

Step 3: Kernel Load
The Kernel Load phase begins with Ntoskrnl.exe loading along with the Hal.dll file. At this point NTLDR still plays a role in the boot process. NTLDR will also read the SYSTEM registry key into memory, and select the hardware configuration that is stored in the registry. It will load the configuration needed for the computer to boot. At this point of the boot process it is possible to select which hardware profile to be loaded provided there is more than one hardware profile to choose from. Next, any device drivers that have a start value of 0x0 will be loaded from the registry by NTLDR. At this point all of the files have been loaded into memory.

Step 4: Kernel Initialization
The initial kernel load phase is now complete and the kernel will begin to initialize. This simply means that it is recognizing everything that was loaded previously so that NTLDR can now give control to the operating system kernel. The operating system can now begin the final stages of loading. The Graphical User Interface (GUI) is now seen and it will show a status bar indicating that the GUI is now loading. Four additional steps will now take place:

1. The hardware key is created – Once the kernel has completed the initialization process, it uses the information collected during the hardware detection phase to create the registry key HKEY_LOCAL_MACHINE\HARDWARE. This registry contains all the information about the hardware that is located on the computer motherboard as well as the interrupts used by the hardware devices.
2. The clone control set is created – The kernel references the registry subkey HKEY_LOCAL_MACHINE\ SYSTEM\Select and then creates a clone (or copy) of the Current Control Set value in the registry. The computer then uses this clone to maintain an identical copy of the data used to configure the computer so this registry value will not reflect changes made during the startup process.
3. Device drivers are loaded and initialized – During this step, the kernel first initializes the low-level device drivers that were loaded in the Kernel Load phase of the Boot Process. Now the kernel must scan the registry subkey HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\Services for device drivers with a value of 0x1. This device driver value indicates at what point in the process that the driver will load. This is the same for the device driver value in the Kernel Load phase as well.
4. Services are started – The final step that needs to be completed is starting the Session Manager. The Session Manager is started when the Smss.exe file is loaded. The Session Manager is responsible for loading the programs in its BootExecute Registry Entry. The Session Manager also loads the required subsystems, which start the Winlogon.exe file. This file starts the Local Security Administration (Lsass.exe) file, and the Ctrl+Alt+Delete window appears. The Service Controller (Screg.exe) will check the Registry for services with a start value of 0x2, and will load them. Services with start values of 0x3 are started manually, and services with start values of 0x4 are disabled.

Step 5: Logon
The Logon screen begins the final step in the boot-up process. Although this is the final step, it is not considered a completed or successful boot until a user logs on. Once the user has logged on, the clone of the Current Control Set value from the fourth item, in Step 4, is copied to the Last Known Good control set value in the registry. This is a safety measure that the OS performs so a user can reboot the computer if a problem arises where the Boot Process becomes corrupt. An example would be if a bad device driver gets loaded and it will not allow the user to log on. Selecting this value during startup loads the last successful boot configuration that was saved without this bad device driver, allowing the user to log on.