Windows Startup Terminology

toggle-button

Introduction

This article supports the Windows 7 Startup article

Understanding the Windows 7 Startup article requires an understanding of the terms used here.

How do I know if I need to understand the terminology?

If you think that you don't need to refer to or read the terminology section  of this article then you should understand the following paragraph:

You will see that most of the definitions in this article relate to how Windows runs programs. Windows startup is primarily about running programs of several different types. Every running program has at least one process and many have a lot more because each process can have many child processes. Every process also has at least one thread.

Even if you do understand this there are some useful examples related to Windows startup that illustrate each term.

I have also added a section on how programs are executed by Windows. That gives you some idea of how Windows works under the hood and gives you some further insights into Windows startup.

Icons highlight key issues

In the main article I have included icons to highlight various topics of interest and I have used them here too.

32-bit and 64-bit Windows have some significant differences:
32 applies to 32-bit Windows only.
64 applies to 64-bit Windows only.

If you are troubleshooting then look for these icons:
 !  indicates a known troubleshooting issue.
 §  provides information on diagnostic tools and their output.
 

Terminology

The verbs in Table 1 are regularly used in this article so it helps to know what they mean.

Table 1 - Startup Activity Terminology
Term Definition Windows Startup Example

Boot

Another word for start or startup. Short for 'bootstrap'.

Windows starts with a Boot Manager (BootMgr.exe) then an OS Boot Loader (WinLoad.exe)

Enumerate

Gather information about things and include them in a list

The Windows Boot Loader loads drivers into memory. If they load correctly then they are enumerated into Windows list of loaded device drivers.

Execute

Process the instructions in a program using a computer. Hence a program can be called an executable.

The main synonym is run. Words with very similar meanings are launch and start.

The boot drivers are executed when they are needed and not earlier during the Boot Loader phase. The Boot Loader initially loads and enumerates them and the most critical are also validated to ensure they aren't damaged or modified. During the Kernel mode startup phase they are then initialized and run/executed.

Initialize

Setup a computer component to the condition it needs to operate. Often this means creating it. Components can be variables i.e. data, software such as programs and drivers, of hardware such as disk drives.

Programs usually have a specific routine that is run to initialize them. Such an initialization routine can, for example, check which version of Windows is running and enable or disable its own features accordingly.

The Windows Boot Loader loads and enumerates drivers for the kernel mode. During the kernel mode initialization phase these drivers are initialized, i.e. setup to be ready to start, and then started/run/executed.

Load

Take from storage and transfer into memory where it can be operated, e.g. data such as a document file, software i.e. programs, or hardware such as CDs and DVDs.

Loading creates an instance or copy of the executable program image in memory.

The Windows Boot Loader loads into memory the drivers needed for kernel mode. These drivers are enumerated if they load correctly.

When Windows loads a program it does not have to read the entire image file into memory. It allocates sufficient virtual memory to fit the program but saves time starting the program because it does not have to wait for the entire image file to be read into memory.

Run

Process the instructions in a program using a computer.
Usually assumes that the program will be loaded too.
Usually a synonym for execute.

When a user logs on the registry key is read to get a list of programs to run once:
HKU\[user SID]\Software\
Microsoft\Windows\
CurrentVersion\RunOnce

Spawn

To load and execute a new process as a child of the current process.

In the computer world it can be anywhere from one to many. Whereas the usual meaning in the natural world always suggests spawning many eggs (from fish, frogs, etc.) or many of anything,

User mode sub-systems spawn many child processes. The child process can even be another instance of itself. The Session Manager spawns itself to ensure that sessions are created without being dependent upon other sessions being created.

Terminate

To deliberately end or kill a running program.

Often when a program hangs, freezes, or halts then you will have the option to terminate that program to regain control without restarting the computer

Many processes terminate during startup when they complete their function and are no longer required e.g. the Boot Loader. The critical processes do not and have to be running for Windows to continue, e.g. the many of the kernel-mode components.

The Session Manager never terminates. If it does then Windows terminates too.

Validate

To confirm or verify the correctness of computer components particularly program code.

Critical Windows components have their files cryptographically verified to ensure that they have not been damaged or tampered with.

 

The terms in Table 2 describe many of the features involved at startup.

Table 2 - Windows Components Terminology
Term Definition Windows Startup Example

API

An Application Programming Interface specifies how some programs will interact with each other. An API is usually a library which in Windows is usually a DLL.

Programming languages also have their own libraries and APIs. Some APIs have international standards.
For this article, you should not have to know anything about the specific features of each API interface.

Windows has the Win32 API which is used by user-mode programs. The Win32 API is not available during kernel mode startup so NTDLL.DLL duplicates many of the Win32 functions so they are available before Win32 is running.

The POSIX API is an international standard. Windows can run programs that comply with POSIX 1. 

Asynchronous

Unsynchronized.

When two or more processes or threads are running concurrently then they can coordinate their execution. If they don't then they are running asynchronously and the outcome of one process does not impact on the other processes. If they do then they are running synchronously i.e. synchronized.

Windows startup is primarily asynchronous. Having synchronous processes will generally cause some processes to wait which is not what is wanted.

Windows startup reduces synchronization by using programs and data that are duplicates:

  • WinLoad loads the system registry before the registry API is available. Later the loaded system registry is moved to the normal registry structures.
  • NTDLL.DLL duplicates much of the functionality of the Win32 API so it can be used earlier in the startup sequence before Win32 is initialized.
  • If Fast Logon is enabled then Windows can logon on network users by using cached user credentials rather than having to wait for network logon to complete. When network logon is complete then the current group policies are applied.

DLL

A Dynamic Link Library is a type of software that allows other programs to use its program code and data. The program code, also referred to a callable subroutine or procedure, can be loaded when needed (i.e. dynamically) and can be shared by many programs. This is more efficient because Windows only needs to keep one copy of the DLL in memory.

DLLs are executable files that are essentially the same as EXEs so DLLs but can have the file extension .EXE instead of the usual DLL. The main difference is that Windows will not load DLLs. They must be loaded by an EXE.

Much of Windows uses DLLs:

  • Kernel-mode components e.g. the Hardware Abstraction Layer (HAL) is loaded as HAL.DLL.

  • Most device drivers are also DLLs.

DLLs that have .EXE file extensions include Kernel.exe, User.exe and GDI.exe. These are also kernel APIs (Application Programming Interfaces) which other programs can call.

Concurrent

Occurring at the same time, i.e. in parallel.

During user-mode startup the Local Security Authority Sub-System (LSASS) starts two session, 0 is non-interactive and 1 is interactive and they run concurrently.

Driver

Software i.e. a program that allows your computer to communicate with hardware. Technically, it is a 'device driver'.
Drivers normally have the extension .SYS.

Device drivers are grouped to represent different types which include:

  • Hardware
  • File system e.g. FAT, NTFS
  • File system filter - can intercept file system IO to do things like disk mirroring and backups.
  • Protocol e.g. TCP/IP

 !  Device drivers run in kernel mode so you need to be sure that you can trust their source i.e. be very careful downloading drivers from the Internet.

Sometime older drivers won't run. 64 For example, 64-bit Windows adds a layer of security and expects all drivers to be cryptographically signed which is a further check on downloads.

Image

An image is a copy transferred to another medium. So a program image is the file stored on disk. The actual program only really exists when it is loaded in memory or running.

Programs run in memory. On disk they are called images because their normal medium is loaded into memory and being executed. Windows startup involves loading many images and running them from memory.

Instance

An instance of a program is a "specific realization", which is a copy, of that program.

A program image stored on disk can be loaded many times. Each is an instance of the same program.

The Session Manager is not good at creating more than one session at the same time so when it has to create a new session it runs a new instance of itself for each new session. Once they have created the new session, they stop running leaving the original Session Manager instance to manage the newly created sessions.

Kernel mode

Windows separates its important system sub-systems from the programs we want to run by running them at a higher priority in kernel-mode.

Our application programs are prevented from damaging windows by running them in user mode at a lower priority with limited access to Windows resources.

The system process is the main kernel-mode process. It is always running.

Normally, the Local Security Authentication Sub-System (LSASS) enforces security by preventing unauthorized access. The driver ksecdd.sys performs a similar function by securing the system thread from unauthorized users before LSASS is running.

Loader

Part an operating system i.e. Windows that loads programs into memory and prepares them to execute.

The Windows loader is WinLoad.exe. It is configured to load the boot configuration data (BCD), the system registry, and the first boot drivers needed to read those files. This allows Windows to configure itself to match the hardware that it is running on before all the necessary Windows sub-systems are up and running..

Program

A program is a static and passive set or collection of computer instructions. It is static because it does not change unless it is updated. It is passive because it does nothing until it is executed by the computer.

At the lowest level is machine code which is instructions that the computer processor can operate on without requiring an  interpreter program.

When the Windows Boot Loader (WinLoad.exe) loads program image files into memory it validates that they are correct by calculating the programs cryptographic signature and comparing it with the known value. If the program fails this test then it is not executed. If the program is a critical program then Windows will crash.

Process

A process is a container for an executable program and has the same name as the program but it also has resources that support the execution of the program such as a process ID, the process ID of the parent process, and a private storage area which holds information like security permissions.

In other words, a Windows process is a structure in memory that consists of or owns the following:

  • an image of the executable machine code
  • an allocated range of memory to contain the process structures and the executable image
  • data on the resources allocated to the process
  • data on the security attributes
  • data on context or state of the computer processor (CPU) when it last ran the process thread. That data is loaded into the CPU the next time that the thread runs.

In Windows a program normally has at least one process primarily associated with it. A process can create other processes which are called child processes, grand-child processes, end so on.

The analogy of a family tree is useful because Windows uses tree structures for organizing many of its structures such as folders on disk and registry data.

Service

A Windows service is a process started by the Service Control Manager (SCM).

Windows services do not include device drivers even though the registry records them in the same part

Services generally run for all users e.g. Printer Spooler, Task Scheduler. But you can also run a service for an individual user so it does not impact on other users. This can done using startup scripts, scheduled tasks or group policies.

Session

A session is an exchange of information. It can be computer to computer or device to device. Here it is primarily the interaction between a human and a computer which is called a user, login or interactive session.

Windows has a Session Manager (SMSS) to manage sessions. It initially starts a non interactive session 0 then an interactive session 1.

It creates an instance of itself for every session so it can handle many users logged on.

Synchronous

Synchronized.

When two or more processes or threads are running concurrently then they can coordinate their execution. This means that at least one of the processes will be dependent upon the results or outcomes of another process. If they are then they are running synchronously. if they are not then they are running asynchronously i.e. unsynchronized.

Some applications have Windows services which are dependent upon other services starting before them. If the Service Control Manager (SCM) cannot easily determine when to run them they then become delayed services. Delayed services do not start being initialized until 120 seconds after the auto start services are started. This delay helps other startup processes to complete but effectively makes any delayed start service dependent upon the outcome of starting all the auto start services.

Thread

The part of a process that Windows executes on the computer processor. In other words programs and processes only execute in threads. That is why a process is always created with at least one thread.

Threads, like processes, also have IDs and a private storage area.

64 In 64-bit Windows there will be private storage areas for both 32-bit and 64-bit modes so the thread can switch between each.

Trace

Collect a log of information to show what a system is doing. A startup or boot trace logs startup information. It can be used to troubleshoot problems such as Windows halting, improve startup speed by identifying slow programs, or to identify which Windows components are used.

 §  To provide information for a real-world example I am using a Boot trace created by the Windows Performance Recorder (WPR).

The trace log file can be analysed by a number of programs which will be discussed in a related article that is yet to be created.

User mode

Windows separates its important sub-systems from most of the programs we want to run by forcing them into user mode.

Windows has many user-mode processes which are mainly processed in kernel mode because that is how much of the Win32 API works. That means the processes that need the kernel-mode resources can get them while the user mode process has little change of damaging the kernel-mode sub-systems and structures.

Processes like LogonUI (Logon User Interface), which asks for your user name and password, could have been designed to run to run in kernel mode. One advantage of running them in user mode is that if they fail they do not crash Windows. Instead another instance of LogonUI is created to ask for your logon details.

 

How Windows uses programs

 

Learn more about Windows programs, processes and threads

This section provides more details about how Windows executes or runs programs. It is not essential to know this but it is helpful if you want to understand questions like:

  • How does a program image file become an active process?
  • Why doesn't Windows startup load the entire program into memory before the program is initialized or executed?
  • Why is the Client-Server Runtime Sub-System (CSRSS) essential to user-mode?

 

How are programs executed/run

Diagram 1 is a overview of some of the activities involved in running a program. Diagram 2 expands this information by going a step deeper. In both diagrams you will see that these key points apply:

  • A program is a set of instructions that needs other programs/processes to help them to run. While it is stored on disk it is passive until it is loaded into memory, has the supporting structures it needs and its threads are executed.
  • Although a program has a process and a thread, it is only the threads that are executed by the CPU.
  • It is only when the threads are executed that the program is really active.

I have presented the activities as occurring in the two main modes of Windows operation. The Windows system mainly runs in kernel mode where it has a higher priority and access to any resources on the computer. Whereas users mode is more limited to prevent user programs from gaining access to resources and features that they should not be using.

I described a program image file as passive because it does nothing when it is stored on a disk. Windows first opens the image file but does not load the entire program into memory until it has setup all the structures that will be needed:

  • At least one process to keep track of both the program and the threads that are actually executed on the computer's processor (CPU).
  • At least one thread that Windows schedules to run on the CPU so the program can run while other programs are running.
  • The optional side-by-side (SxS) structures that manage which version of each DLL is to be used with this program.
  • Other kernel structures that are required so Windows can keep track of the process and threads.

 

Diagram 1 - Overview: How a program is executed/run
Passive / Active Medium User-mode
(Process address space)
Kernel-mode
(System address space)
Passive i.e. space-based Disk storage Program image file  
     
  Virtual memory storage Open (load) the program image file  
     
    Create the process structures
and the thread structures
 
     
      Create the kernel process structures
and the kernel thread structures
     
      Create other kernel structures
     
    Initialize the process structure
and the thread structure
 
     
Active i.e. time-based CPU processing Execute the thread  
     
    Fetch (load) the rest of the image for execution  

At this point the program is finally running and the programs own initialization routine can be run.

 

Further detail on how programs execute/run

Diagram 2 goes into more detail to illustrate the steps involved in running a program. In this diagram I have chosen to focus more on the structures that are created to allow a program being run. Even this is a major simplification of what really happens.

The key points to note are:

  • All these steps don't normally take very long. But they simply get us to the point where the program can be initialized if it has a specific initialization routine. At this time we us as users might start to see something happen on screen.
  • The Windows Client-Server Runtime Sub-System (CSRSS) also called the Windows Sub-system is the main process that runs our application programs. That is why there are structures created for CSRSS as well as for user-mode and kernel-mode. 

 

Diagram 2 - Windows structures created when a program is executed/run
Step User-Mode
(Process address space)
Kernel-Mode
(System address space)
     

0. Program on disk


Program image file
 
 

1. Validate the run parameters

E.g. Does the command to start the program actually work? What kind of process is it?

 

2. Open program image file

What kind of program is it? That determines how it is run. See Note 2 following this table.

 

3. Create the process structures

 
3.1 Create the user-mode process structure
Process
(EPROCESS)
 
 

 
3.2 Create Client Server Runtime (CSRSS) process structure
CSRSS process structure
(CSR_PROCESS)
 
   

3.3 Create the kernel-mode process structure  
Win32k process structure
(KPROCESS)

4. Create the thread structures.

 

4.1 Create the user-mode thread structure
Thread structure
(ETHREAD)
 
 

 
4.2 Create Client Server Runtime (CSRSS) thread structure
CSRSS Thread structure
(CSR_THREAD)
 
   

4.3 Create the kernel-mode thread structure  
Kernel Thread structure
(KTHREAD)

5. Initialize the process and thread structures

 

5.1 Optionally, create the kernel Side-by-Side (SxS) structure for the process so the correct version of the DLLs are used.  
Kernel Side-by-Side structure
 
   

5.2 Create and initialize the the Windows Sub-System structures for the process and thread  
Kernel Windows Sub-System structure
   

5.3 Initialize the Client Server Runtime (CSRSS) process structure
CSRSS Process structure
(CSR_PROCESS)
 
 

 
5.4 Initialize the Client Server Runtime (CSRSS) thread structure
CSRSS Thread structure
(CSR_THREAD)
 

6. Execute the image

 
6.1 Execute the first thread for the process
Thread
 
 
 

 
6.2  Execute the image by fetching the remainder of it from disk.
Program image file
 
 
Step User-Mode Kernel-Mode
       

Notes: Windows performs numerous checks so I have included some here as examples:

1. What kind of process is it? E.g. If it is protected then the image file requires digital signing.

2. What kind of program? The type of program determines the process to execute it:

  • Windows program → use as is
  • DOS .com, .exe, .pif → NTVDM.exe
  • DOS .bat, .cmd → CMD.exe
  • POSIX → POSIX.EXE

3. What does the process need?

  • How much memory to allocate?
  • Which DLL to link to?
  • Is a new interactive session required?

5. Can this process run? A process can be blocked by being restricted by group policy or by using restricted DLLs.

6.1 Can this thread run? Sometimes the thread has failed to start.

6.2 Is prefetch enabled? Prefetch loads the image and other files based on observed behaviour on an earlier run.

 

Related Links

Microsoft references:

  • The Windows Internals book does not specifically look at Windows startup but it does look at the mechanisms involved in many aspects of startup including creating processes and threads.

Back to the top of the article.

 

Please rate this article: 

Your rating: None
4.727275
Average: 4.7 (33 votes)
toggle-button

Comments

Awesome.

Added two diagrams on how programs run in Windows. Remah - Editor