You know that the Kernel is initializing when the screen turns blue, and you see text similar to the following:
Microsoft (R) Windows NT (TM) Version 4.0 (Build 1345) 1 System Processor (16 MB Memory)
This means that Ntoskrnl.exe has successfully initialized and that control has passed to it.
The Kernel creates the HKEY_LOCAL_MACHINE\HARDWARE key by using the information that was passed from the boot loader. This key contains the hardware data that is computed at each system startup. The data include information about hardware components on the system board and about the interrupts hooked by specific hardware devices.
The Kernel creates the Clone control set by making a copy of the control set pointed to by the value of Current. The Clone control set is never modified, because it is intended to be an identical copy of the data used to configure the computer and should not reflect any changes made during the startup process.
The Kernel now initializes the low-level device drivers that were loaded during the Kernel load phase. If an error occurs, the action taken is based on the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DriverName\ErrorControl value for the device driver that has a problem. See the section titled "ErrorControl Values," presented later in this chapter, for more information.
Ntoskrnl.exe now scans the Registry, this time for device drivers that have a HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DriverName\Start value of 0x1. As in the Kernel load phase, the Group value for each device driver determines the order in which they are loaded. The Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder defines the loading order.
Unlike the Kernel load phase, device drivers with a Start value of 0x01 are not loaded by using BIOS or firmware calls, but by using the device drivers loaded during the Kernel load phase and just initialized. The device drivers in this second group are initialized as soon as they are loaded. Error processing for the initialization of this group of device drivers is also based on the value of the ErrorControl data item for the device driver.
The section titled "Start Values," presented later in this chapter, contains more information about when components are loaded and started.
The Session Manager (Smss.exe) starts the higher-order subsystems and services for Windows NT. Information for the Session Manager is in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager. Session Manager executes the instructions under the:
The BootExecute data item contains one or more commands that Session Manager runs before it loads any services. The default value for this item is Autochk.exe, which is the Windows NT version of Chkdsk.exe. The default setting is shown in this example:
BootExecute : REG_MULTI_SZ : autocheck autochk*
Session Manager can run more than one program. This example shows the item when the Convert utility will be run to convert the x volume from FAT to NTFS on the next system startup:
BootExecute : REG_MULTI_SZ : autocheck autochk* autoconv \DosDevices\x: /FS:ntfs
After Session Manager runs the commands, the Kernel loads the other Registry keys from %systemroot%\System32\Config.
Next, the Session Manager creates the paging information required by the Virtual Memory Manager. The configuration information is located in these data items:
PagedPoolSize : REG_DWORD 0 NonPagedPoolSize : REG_DWORD 0 PagingFiles : REG_MULTI_SZ : c:\pagefile.sys 32
For information about the page file, use the Index tab in Windows NT Help, and enter virtual memory.
Next, the Session Manager creates symbolic links. These links direct certain classes of commands to the correct component in the file system. The configuration information for these default items is located in:
PRN : REG_SZ : \DosDevices\LPT1 AUX : REG_SZ : \DosDevices\COM1 NUL : REG_SZ : \Device\Null UNC : REG_SZ : \Device\Mup PIPE : REG_SZ : \Device\NamedPipe MAILSLOT : REG_SZ : \Device\MailSlot
Because of the messaging architecture of subsystems, the Windows subsystem (Win32) must be started. This subsystem controls all I/O and access to the video screen. The process name for this subsystem is CSRSS. The Windows subsystem starts the WinLogon process, which then starts several other vital subsystems.
The configuration information for required subsystems is defined by the value for Required in the Registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems.