This article is an overview of Windows startup with a flowchart and a couple of examples of the startup phases with immediate user logon and delayed user logon.
My goal is to make Windows startup more easily understood by the average user. So I have provided a couple of supporting articles on basic terms used to describe how Windows works and an overview of many of the main components of Windows.
This article will be most useful to confident users because it provides clarity and detail that is quite difficult to find elsewhere. All the information in this article can be found on the Web but you will find that there are no easy overviews. Most of the sources conflate (mix together) Windows components, features, and versions.
As of June 2017, the detailed processing steps are separated out into a separate article Windows 7 Startup Detail because the article was just too big. It now contains:
- Descriptions of the major components.
- Detailed sequences of activities for each process.
- Example registry keys and values.
These articles have several caveats:
- The articles are always going to be an overview rather than a complete description.
- The articles are now unlikely to have more detail added.
- The articles may have errors but wherever possible I have confirmed the steps in a real example. I've still had to rely on other commentaries as I've only used the tools that would be used by a confident user. That's why there is no mention of advanced tools for programmers like kernel debuggers or the special debug version of Windows (a checked build).
- These articles are not not a troubleshooting guide although I have included some pointers for where to look for solutions to some problems.
- These articles are not a guide to altering your system start-up processes. They should not be relied upon for making any changes to your system. Instead you should confirm any change through the relevant support channels for Microsoft Windows or the particular application you are dealing with.
- These articles do not include starting Windows 8 or 10, installing Windows, resuming Windows from sleep or hibernation, or using safe mode and the other startup options. If you do want more detail in some area then let me know by registering with this site and leaving a comment.
These articles only looks at Windows 7 64-bit
Windows 7 is a good compromise between old and new versions of Windows. Although it is very similar to Vista there are major differences in the startup processes. I have pointed out some of those differences where it improves this article. For any thing else related to earlier version of Windows you will have to look elsewhere.
The examples I am using are based on startup traces I ran on my test PC running Windows 7 64-bit. I used 64-bit Windows because it was the future at the time. Plus I need to highlight how 64-bit Windows handles 32-bit processes.
The traces provide some timings to give you a relative indication of the time taken by the startup phases and it also provides you with the option to compare it with your own Windows startup. Just be aware that there are several reasons why your relative timings may be considerably different to mine.
Icons highlight key issues
I have included icons to highlight various topics of interest so you can scan the detail more easily.
32-bit and 64-bit Windows have some significant differences:
32 applies to 32-bit Windows only.
64 applies to 64-bit Windows only.
Where the startup feature was changed from Windows Vista:
7 indicates a new feature for Windows 7.
On the very few occasions where the Windows Edition is relevant:
Δ indicates differences between Windows Editions.
If you are troubleshooting then look for these icons:
! indicates a known troubleshooting issue.
! indicates a critical process (processes set this status themselves) which can crash or halt Windows if it fails.
§ provides information on diagnostic tools and their output.
∞ indicates a process that normally runs until Windows stops.
How to view and print the larger tables and diagrams
I am trying to pack a lot of information into some of the tables and diagrams so they look better in a display that is 1600 pixels wide. If your display is smaller, particularly if it is below 1200 pixels wide, then you can use the 'Printer-friendly view' to remove the sidebars so you can read them more easily.
The diagrams are not digital images such as bitmaps or vector-based drawings. They are only HTML characters and HTML/CSS formatting. This means that you may have to change your web browser settings:
- Set the page encoding to Unicode or Auto-detect so the arrows and other symbols are visible.
- Set the page or print settings to print the background colours and table borders. For example, in Firefox this is under the Menu | Page Setup dialog | "Format and Options" tab | "Print background color (colors & images)" checkbox.
In the tables I have placed a blank line between each filename and registry key to keep them separate. Where a registry key is too long to fit in one line of a table then I have also inserted line breaks to break it up.
What you should know
Kernel mode has to start before User mode
You should understand that Windows has two modes of operation which largely determine the sequence of startup activities:
- User mode is what we work with. It runs our applications programs on top of layers of services and subsystems that are mainly provided by the Windows Kernel mode.
- Kernel mode sits between the hardware and our application programs, supervises the running of the computer, and provides subsystems and services for User-mode programs to use. Kernel mode startup roughly corresponds to the time that the "Starting Windows" splash screen is displayed.
User mode depends upon Kernel mode so the Windows Kernel has to be loaded first and only later in the startup process are the User-mode sub-systems and services loaded. During Kernel-mode startup there is very little for you to see apart from the Starting Windows screen. During User-mode startup the logon screen and the desktop screens are almost always visible.
Windows does some things to spread the startup load
Windows startup processing is more sequential at the start and becomes more parallel. An important attribute of this division is that Kernel mode is mainly sequential because there are many dependent processes and prerequisites. So the Kernel-mode sub-systems are largely built up in a specific order. Whereas User mode is a virtual explosion of processes spawning other processes and almost always running in parallel because most of the dependencies are incorporated in the Kernel mode.
Windows also has ReadyBoot and prefetch to ensure that needed components are ready to memory when needed to load or start.
To maintain responsiveness, Windows delays the starting of many programs. Services and drivers good examples of this:
- Boot start and system start drivers start during the kernel-mode phase.
- Auto start and on demand services start later in the user-mode when the Service Control Manager (SCM) is running.
- Some services have a delayed-start attribute or have dependencies so SCM delays their start until 2 minutes after the SCM starts. In the meantime, other startup processes like user logon have started more quickly.
Critical processes must keep running
Windows has many critical processes that cause Windows to crash if they fail. That is unless Windows has booted in debugging mode in which case the debugger will appear:
- System process for the Kernel (NTOSKrnl.exe) !
- The Session Manager Sub-System (SMSS.exe) !
- Client Server Runtime Sub-System (CSRSS.exe) !
- Windows Logon (WinLogon.exe) !
- Windows Init (WinInit.exe) !
- Windows Logon User Interface Host (LogonUI.exe) for RDP only !
- Local Security Authority Process (lsass.exe) !
- Service Control Manager (Services.exe) !
- Service Host (svchost.exe) with RPCSS or Dcom/PnP !
- Desktop Window Manager (DWM.exe) !
- plus other optional processes such as performance monitoring ! or Internet Information Server (ISS) !
In practice it is possible to engineer Windows to start without many of these processes but this is not something that the average user should be considering.
Diagram 1 is a simple flowchart of the major programs that control the sequence of a normal Windows startup. There are many more essential programs that are initialised and run by these programs. I didn't include any of them although many are listed in the more detailed startup steps later in this article.
This diagram matches Diagram 2, 'Phases of Windows Startup for immediate logon'. The colors here largely match the Boot Phase scheme in Diagram 2. As do the times on the left which startup trace times in seconds. Until the user logon screen appears at 35.8 seconds, this diagram also matches Diagram 3, 'Phases of Windows Startup for a delayed logon'.
Important points to note:
- The three processes started by WinInit - SCM, LSASS and LSM - all start about the same time (17.4 and 17.7 seconds) as WinLogon (17.7 seconds) but I have chosen to separate them to emphasize the separation of non-interactive and interactive sessions.
Some processes end when they pass control to the next process in the flowchart. But most processes continue to run for longer and many run until Windows is shutdown - I've indicated these with the infinity icon ( ∞ ): NTOSKrnl, SMSS, CSRSS, SCM, LSASS, LSM, WinLogon.
Explorer would also be in this list except that it only runs when a user logs on to an interactive session.
- I have indicated critical processes ( ! ) that must run so Windows will run. You will notice that the processes that interact directly with users (LogonUI and Explorer) are not critical so if they fail they do not automatically crash Windows.
- Much of the time until the user logon screen (LogonUI) appears looks like it is spent starting the Session Manager (SCM) and creating the non-interactive and interactive sessions. But this is also the time when many kernel-mode sub-systems, the Windows APIs and the registry are also starting.
Booting your computer
For the sake of completeness I include this section as an overview of the process that takes place when you turn on your computer but before Windows is started. It won't be discussed again in the more detailed discussion of Windows startup.
When you turn on the power switch of your computer there is a standardized process for your computer to know what to do without any input from yourself. This is called bootstrapping or, as it is commonly known, booting. It is based on the idea of pulling yourself up by the bootstraps of the boots that you are wearing. For a computer, booting means running a small program stored in a specific address in memory. This program is very simple and mainly works to load a larger more complex program called a boot loader which can then itself load a larger more complex program such as the Windows boot loader. Again that Windows boot loader loads the much more complex Windows kernel-mode which eventually leads to the Windows operating system being loaded for you to use in User mode.
Two types of firmware
The bootstrap loader is stored in a memory chip that does not lose its data when the computer power is turned off. This combination of non-volatile memory and program code is called firmware. Currently there are two main firmware interfaces that have been standardized for Windows computers. The old version which was used on the original IBM PC is called the BIOS (Basic Input/Output System). The other more modern design of firmware is called UEFI (Unified Extensible Firmware Interface) and has only been widely used since 2010.
The main steps are as follows and are similar to the simplest UEFI steps:
- Identify if quick/fast boot is enabled. If so skip some tests.
- Run a POST (Power-On Self-Test) to check the motherboard components and any installed adapters.
- Identify and initialize hardware devices
- Including the AHCI (Advanced Host Controller Interface) settings to access SATA hard disk drives.
- The BIOS boot loader attempts to load a boot loader from a suitable system disk.
- Identify the device boot order which can include fixed disk drives, removable disk drives like CD and DVD drives, USB drives, and Network Interface Cards (NIC).
- Identify if PXE (Preboot eXecution Environment) boot is enabled to boot by obtaining a bootstrap program from the NIC.
- Otherwise detect a valid system disk.
- Load the bootstrap program in the Master Boot Record (MBR) on sector 0 of the system disk. It is loaded into memory at the address 0x00007C00 and it is executed or run.
- Normally the bootstrap program will load the VBR (Volume Boot Record) from the first startable partition on the system disk.
- Load the Windows Boot Manager. Initially, a real-mode stub is which then passes control to a 32-bit protected mode Boot Manager. The Windows Boot Manager can provide a boot option menu for you to select from.
The UEFI has a lot more options than the BIOS. It is called the Extensible Firmware Interface (EFI) because has the capacity to run other programs and it can confirm the software and hardware to prevent untrusted components from operating.
- Identify if secure boot is enabled. If so use the TPM (Trusted Platform Module) to enhance security.
- Identify if BIOS-compatibility is enabled. This does not mean that it runs like a BIOS only that it uses the same interface.
- Identify and initialize hardware devices. This initialization includes the secure boot verification of hardware:
- Initialize CPU
- Initialize chipset
- Initialize motherboard, RAM and other interfaces
- Load the Driver execution environment (DXE) for discovered resources
- IO bus
- Option ROMs on adapter cards including on NICs
- Load the UEFI boot manager which has a boot menu option which the BIOS does not have.
- Read the BootOrderEFI variable.
- Identify if PXE boot is enabled to obtain a bootstrap program from a UEFI extension or a NIC.
- Locate the EFI System Partition on whatever device it is configured for. It is not limited to a disk drive or a NIC.
- Load the Windows Boot Manager which also has a boot menu that often confuses users who do not realize that the UEFI boot manager has one too.
The Windows Boot Manager
The Windows Boot Manager, bootmgr.exe, reads the Boot Configuration Data (BCD) to determine the installed versions of Windows and what there startup options are. The Boot Manager can display a boot menu but I am describing the simplest startup process so those options are not discussed here. It is also not timed so it is not included in discussions of the example trace.
Boot Manager locates the Boot Configuration Data (BCD)
There remains one distinction which is where the Boot Manager locates the BCD:
- The BIOS locates the configuration in "\Boot\BCD" on the system volume.
- The EFI locates the configuration in the "\EFI\Microsoft\Boot\" directory on the EFI system partition.
Boot Manager locates the Boot Status Data Log (BootStat.dat)
There are boot status data logs for the Boot Manager and for each installed version of Windows. The Boot Manager log is BootStart.dat in the Windows directory or the \Boot directory of the system partition. This location can be set in the BCD.
If the previous start failed then the Boot Manager displays its boot menu. As I'm not looking at failed starts this is not discussed here.
Boot Manager runs any boot-time utilities
The Boot Manager can run utility programs to diagnosis problems or to perform maintenance. The Microsoft memory tester, memtest.exe, is probably the most useful example.
Boot Manager displays a boot menu if required
The Boot Manager also displays a boot menu if more than one option is to be presented to the user. Again, I am not discussing this feature.
Make sense of the Windows startup phases
There are several schemes for describing startup phases
The starting point for the following discussion of Windows startup is after the Windows Boot Manager, bootmgr.exe, has been loaded and control has been passed from the computer firmware, whether it was the BIOS or UEFI. Up until the point where the Windows Boot Manager hands over control to the Windows Loader there is no record of the time.
Form this point there are several ways of describing the Windows startup phases. You may find that the differing intervals and terminology are a hindrance when either reading articles about Windows startup or trying to interpret the diagnostic results from various tools. The remainder of this section illustrates the similarities and differences between these schemes before I discuss the startup components in more detail.
Startup phase schemes
Here is a description of each category used in Diagrams 2 & 3. You could say that they move from user-oriented on the left to more technical on the right but really only the first category is accessible to most users.
Visible to Users is what you see on your screen. These events normally occur some time after the start of the interval.
Boot Time is used in the Windows Event Manager and those statistics are available at any time.
Windows Focus indicates the process that is currently awaiting input and is usually visible. Focus is the graphical equivalent of the text-based cursor.
Boot Interval is used in the Boot Phase analysis of Windows Performance Analysis (WPA) when summarizing trace data provided by Windows Performance Recorder (WPR). It is very similar to the Boot Phase analysis which is different only in that the Pre Session interval is divided into the OS Loader and Kernel-mode initialization.
Boot Phase is widely used in Microsoft tutorials on analysing Windows startup. It is probably the most useful to understand simply because it is often used to describe what is happens when you delve more deeply into Windows startup.
The Drivers & Services category, as I've called it, is focused on kernel mode Plug and Play (PnP) Manager which loads devices and drivers in three main phases which correspond to the three categories of devices and drivers:
- BootStart devices and drivers are those that are run before the Windows Kernel mode is completely running.
- SystemStart devices and drivers are those that are run when the supporting Windows Kernel-mode components are running.
- AutoStart devices and drivers are all those that are started for user sessions.
- The remainder are OnDemand devices and drivers. They are run when they are required so they are not part of the startup phases.
What happens when we logon immediately or use auto logon
Diagram 2, "Phases of Windows Startup - immediate logon", approximates what happens when I logon immediately the prompt appears, i.e. within 10 seconds. There is now no separation of the user logon activities from the system startup activities and the phase overlaps change.
I say the timings are approximate because under normal circumstances Windows startup changes every time it runs. Not only does Windows optimize the startup process but a slight delay in one process can cascade further delays to other activities. In practice that is exactly what happened. For some reason the MachinePolicyApplication was delayed 1.178 seconds and Windows generated an Event 107 record so I could see this in Event Viewer.
1 TotalBootTime = MainPathBootTime + BootPostBootTime. BootPostBootTime doesn't follow the usual naming convention because that would have led to PostBootBootTime and they obviously didn't like the repetition of boot.
2 Technically, there can be no focus until the graphical user interface (GUI) appears.
3 The Trace Tail is not coloured because it is not part of a normal startup. It runs from the the end of the Post Boot Phase to the end of the trace.
What happens when we don't logon immediately
If you don't logon the first time you are prompted then you allow the system startup activities to complete more quickly. There isn't much change in the startup phases and the number of steps remains the same. The major difference is that the BootPostBootTime and the auto_start driver initialization both finish before you start logon. The obvious advantage is that when you logon you will avoid waiting for other startup activities to finish so your system is more responsive right from when the desktop appears.
1 Again, the TotalBootTime = MainPathBootTime + BootPostBootTime but it is now about 18 seconds shorter than in Diagram 2 due to some of the user logon activities being delayed because I didn't log on for 20 minutes.
2 The Trace Trail runs from the end of the Post Boot activities to the end of the boot trace that I setup to record Windows startup activities.
Other startup phase timings
There are other useful startup phases that I didn't include in Diagrams 2 & 3 these are single phases that focus on one startup process:
Services Autostart which is when most Windows services start to load just before Explorer is initialized until just before PostBoot Activity starts. In delayed logon that is from 18.9 to 49.9 seconds and it is not much different for immediate logon.
It is worth noting that various activities started and stopped while I was delayed my login. In an immediate logon they would not be included as they are configured to run after the Windows startup process. The longest delay was for Adobe Flash Player Update Service which ran 900 seconds (15 minutes) after Services Autostart ended.
ReadyBoot, the Windows startup prefetcher (prefetch gets items before they are needed), optimizes the loading of Windows components from disk drives. ReadyBoot uses the easily-confused ReadyBoost caching driver. These are turned off if your disk drive is fast enough, for example, if it is a solid-state drive (SSD). In the example, ReadyBoot in delayed logon runs from 2.1 to 102 seconds, finishing just before Session Initialization. It runs slightly longer at 105 seconds for immediate logon because there are more activities running at the same time.
Where does the kernel run?
The kernel mode runs in the system process On every started Windows system there are two permanent processes that must be running:
- Idle is always process 0 which is used when the processor has nothing to process
- System is always process 4 which includes most of the kernel mode threads and only kernel-mode subsystems. This process owns all system threads but take note that device drivers can create system threads in any process.
Why can't I find a service?
Services can have three different names which can confuse you:
- The process name which is most visible
- The registry name which is used internally
- The display name visible in the Services Administration Tool. If this is blank then it defaults to the registry name.
How does running with lower privileges affect startup?
The answer to this question will be added in a later update.
What difference does the Windows edition make to startup?
Remember this article only looks at Windows 7.
Client versus server versions
Desktops need fast desktop response times so interactive users are not waiting. Whereas servers generally need high performance for the applications but have little need to respond quickly to interactive users. That's why desktop and server versions are optimized differently and have different specifications particularly the limits for CPUs, memory and storage.
You can determine the edition by looking in the registry to see some of the supported features. The product policy details are a copy of Tokens.dat.
ServerL ServerNT, LANMan.NT
- Windows 7 Startup Detail is a companion article that provides a detailed example of the startup steps for each component.
- Windows Startup Terminology summarises terms that are used in this article. The terms generally relate to running programs so there is section on how programs start and run.
- Windows 7 Startup Components presents three main diagrams that illustrate the components of Windows: kernel mode system processes, user mode application support, and user-mode system processes.
- What Everybody Should Know About the Windows Registry
- The Windows Internals book doesn't specifically look at Windows startup but it does look at the mechanisms involved in many aspects of startup. The 6th Edition looks at Windows 7 and the two volumes are cheap at the moment because the next edition which covers Windows 8 should be available later in 2014.