5 장 Startup and Shutdown 발표자 : 이용석 발표일 : 2006 년 7 월 24 일

5 장 Startup and Shutdown5 장 Startup and Shutdown

발표자 : 이용석발표일 : 2006 년 7 월 24 일

목 차목 차

Boot Process (x86/x64 계열만 )Troubleshooting Boot and Startup ProblemsShutdownConclusion

Boot Process 개괄 (1)Boot Process 개괄 (1)

BIOSMBRBoot sectorNtldr

Ntbootdd.sysloads Boot.iniHiberfil.sys on existing thisBoot.ini entry selectionif MS-DOS, bootsect.dosNtdetect.comdisplays “Staring Windows”


kernel and HAL imagesSYSTEM registry hiveboot device driversfile system driverboot drivers

Ntoskrnlphase 0

Interrupts are disabledKiSystemStartup HalInitializeProcessor KiInitializeKernel


ExpInitializeExecutive HalInitSystem memory manager object manager security reference monitor process manager prepare thread for phase 1 Plug and Play manager Idle loop


phase 1NLSLPCWMICommand Server Thread

SmssWin32k.sys

WinlogonGINASCM

services, device drivers, Lsasslogon notification from GINAshell from GINAetc.

X86 and x64 Boot Process Components (1)X86 and x64 Boot Process Components (1)Component Process Execution responsibilities

Master Boot Record (MBR) code

16-bit real mode Reads and loads partition boot sectors

Boot sector 16-bit real mode Reads the root directory to load Ntldr

Ntldr 16-bit real mode and 32-bit or 64-bit protected mode; turns on paging

Reads Boot.ini, presents boot menu, and loads Ntoskrnl.exe, Bootvid.dll, Hal.dll, and boot-start device drivers. If a 32-bit installation is booted, switches to 32-bit protected mode; if a 64-bit installation is booted, switches to 64-bit long mode

Ntdetect.com 16-bit real mode Performs hardware detection for Ntldr

Ntbootdd.sys Protected mode Device driver used for disk I/O on SCSI and Advanced Technology Attachment(ATA) systems where the BIOS is not used

X86 and x64 Boot Process Components (2)X86 and x64 Boot Process Components (2)Component Process Execution responsibilities

Ntoskrnl.exe Protected mode with paging

Initializes executive subsystems and boot and system-start device drivers, prepares the system for running native applications, and runs Smss.exe

Hal.dll Protected mode with paging

Kernel-mode DLL that interfaces Ntoskrnl and drivers to the hardware

Smss Native application Loads Windows subsystem, including Win32k.sys and Scrss.exe, and starts Winlogon process

Winlogon Native application Starts the service control manager (SCM), starts the Local Security Subsystem (LSASS), and presents interactive logon dialog box

Service control manager (SCM)

Native application Loads and initializes auto-start device drivers and Windows services

BIOS (Basic Input/Output System)BIOS (Basic Input/Output System)

Encoded into the computer’s ROMSelects a boot deviceReads that device’s MBR into memoryTransfers constol to the code in MBR

MBR (Master Boot Record)MBR (Master Boot Record)

Scans the primary partition table for bootable partitionReads boot sector into memory and transfers control

Boot sectorBoot sector

각 file system 별로 다른 boot sector code 가 필요Read-only & root-directory-capable file systemReads Ntldr into memory from the root directory of the system volumeTransfers control to Ntldr’s entry pointIf can’t find

“BOOT: Couldn’t find NTLDRP” for FAT“NTLDR is missing” for NTFS

NTLDR (1)NTLDR (1)

Begins real modeNo virtual-to-physical translation of memory addressUse only the first 1MB memory

Switch the system to protected modeStill no virtual-to-physical translationFull 32bits of memory address becomes accessibleCan access all of physical memory

Creating enough page tables to make memory below 16MB accessible with paging turned onEnables paging

Boot-code functions briefly switch off paging ‘cause depends on BIOS for IDE and displayFor non-IDE (ie. SCSI), loads Ntbootdd.sys which is a copy of the SCSI miniport driver

NTLDR (2)NTLDR (2)

Reads the boot.ini using built-in file system code.

Like the boot sector’s code, read-onlyBut can read subdirectories

Clear screenIf there is a valid Biberfil.sys in the root of the system volume

Read itTransferring control to code in the kernel that resumes a hibernated systemHiberfil.sys will be valid only if the last time the computer was shut down it was hibernatedSee Chapter 11 for information on hibernation

NTLDR (3)NTLDR (3)

If there is more that one boot-selection entry in boot.ini

presents the user with the boot-selection menu

Selection entries in boot.inidirect Ntldr to the partition on which the Windows system directoryThis partition is the boot partition or another primary partition

If the boot.ini entry refers to and MS-DOS installation

By referring to C:\ as system partitionReads the bootsect.dos into memorySwitches back to 16-bit read modeCalls the MBR code in Bootsect.dosContinues an MS-DOS-specific boot

NTLDR (4)NTLDR (4)

Boot optionsCan included on entries in boot.iniBootcfg.exe tool: setting a number of the switchesSave to the registry value HKLM\System\CurrentControlSet\Control\SystemStartOptions

If doesn’t selected within timeout periodChooses the default selection“default=“ line 에서 설정한 path 와 matching 되는 path 를 가진 첫 entry

Loads and executes Ntdetect.com16-bit real-mode programUses a system’s BIOS to query the computer for basic device and configuration information

NTLDR (5)NTLDR (5)

The time and date information stored in the system’s CMOSThe types of buses on the system and identifiers for devices attached to the busThe number, size, and types of disk drivers on the systemThe types of mouse input devices connected to the systemThe types of parallel ports configured on the systemThe types of video adapters present on the systemThis information will be stored under the HKLM\HARDWARE\DESCRIPTION registry key later in the boot

Loads boot driversWindows 2000: displays the “Starting Windows”Windows XP and Windows Server 2003: presents a logo splash screen

NTLDR (6)NTLDR (6)

If on an x64 system and kernel for x64Switches the processor to long mode (native word size is 64bit)

Loading the files from the boot volumeNeeded to start the kernel initializationThe boot volume corresponds to the partition on which the system directory

Loads the appropriate kernel and HAL imagesBy default, Ntoskrnl.exe and Hal.dll)If fails: prints the message “Windows could not start because the following file was missing or corrupt”, followed bye the name of the file

NTLDR (7)NTLDR (7)

Reads in the SYSTEM registry hive\Windows\System32\Config\SystemDetermine which device drivers need to be loaded to accomplish the boot

Scans the in-memory SYSTEM hive and locates all boot device driversBoot-device drivers

drivers necessary to boot the systemIndicated in the registry by a start value of SERVICE_BOOT_START(0)

(ex: HKLM\SYSTEM\CurrentControlSet\Services\dmio\Start)

NTLDR (8)NTLDR (8)

Adds the file system driverThe type of partition on which the installation directory residesMust load this driver at this timeIf it didn’t, that would introduce a circular dependency

Loads the boot driversTo avoid circular dependencyDisplay a progress bar to indicate the progress of the loading/SOS switch: displays the filenames of each boot driver instead of progress bar

Prepares CPU registers for the execution of Ntoskrnl.exe

Boot options (1)Boot options (1)

Boot Qualifier Meaning

/3GB Increases the size of the user process address space from 2 GB to 3 GB (and therefore reduces the size of system space from 2 GB to 1 GB). Giving virtual-memory-intensive applications such as database servers a larger address space can improve their performance. For an application to take advantage of this feature, however, two additional conditions must be met: the system must be running Windows XP, Windows Server 2003, Windows 2000 Advanced Server, or Datacenter Server; and the application .exe must be flagged as a 3-GB-aware application (applies to 32-bit systems only). (See the section "Address Space Layout" in Chapter 7 for more information.)

/BURNMEMORY=

Causes Windows to write a log of the boot to the file %System-Root%\Ntbtlog.txt

/BURNMEMORY=

Specifies an amount of memory Windows can't use (similar to the /MAXMEM switch). The value is specified in megabytes. Example: /BURNMEMORY=128 would indicate that Windows can't use 128 MB of the total physical memory on the machine.

/DEBUG Enables kernel-mode debugging

Boot options (2)Boot options (2)

Boot Qualifier Meaning

/FASTDETECT Default boot option for Windows. Replaces the Windows NT 4 switch /NOSERIALMICE. The reason the qualifier exists (vs. just having NTDETECT perform this operation by default) is so that NTDETECT can support booting Windows NT 4. Windows Plug and Play device drivers perform detection of parallel and serial devices, but Windows NT 4 expects NTDETECT to perform the detection. Thus, specifying /FASTDETECT causes NTDETECT to skip parallel and serial device enumeration (actions that are not required when booting Windows), whereas omitting the switch causes NTDETECT to perform this enumeration (which is required for booting Windows NT 4).

/MAXMEM= Limits Windows to ignore (not use) physical memory beyond the amount indicated. The number is interpreted in megabytes. Example: /MAXMEM=32 would limit the system to using the first 32 MB of physical memory even if more were present.

/SOS Causes Windows to list the device drivers marked to load at boot time and then to display the system version number (including the build number), amount of physical memory, and number of processors

Ntoskrnl (1)Ntoskrnl (1)

ReceivesA copy of the selected line in boot.iniA pointer to the memory tables

Ntldr generated to describe the physical memory on the system

A pointer to the in-memory copy of the HARDWARE and SYSTEM registry hiveA pointer to the list of boot drivers

Two-phase initialization processMost executive subsystem initialization functions takes a parameter that identifies which phase is executing


main// start phase 0disable interruptsKiSystemStartup

HalInitializeProcessorKiInitializeKernel On boot CPU only, systemwide kernel

initialization ExpInitializeExecutive HalInitSystem On boot CPU, processing the /BURNMEMORY phase 0 Initialization routines for 5 managers proceeds to Idle loop

// end of phase 0


Phase 0Interrupts are disabledTo build the rudimentary structures required to allow the services needed in phase 1 to be invokedCalls KiSystemStartup

calls HalInitializeProccessor and KiInitializeKernel for each CPU

KiInitializeKernelOn the boot CPU: performs systemwide kernel initializationOn other CPUs: calls ExpInitializationExecutive

ExpInitializationExecutiveresponsible for orchestrating phase 0Calls HAL function HalInitSystem


ExpInitializationExecutive on boot CPUProcesses the /BURNMEMORY boot.ini switchDiscarding the amount of memory the switch specifies참고 : /MAXMEMCalls phase 0 initialization routines: Memory manager, object manager, security reference monitor, process manager, and Plug and Play manager

HalInitSystemGain system control before Windows performs significant further initializationPrepares the system interrupt controller of each CPU for interruptsConfigures the interval clock timer interrupt, which used for CPU time accounting (See Chapter 6 for more on CPU time accounting)


Memory manager’s initializationConstructs page tablesPrepares internal data structures for basic memory servicesBuilds and reserves an area for the system file cacheCreates memory area for the paged and nonpaged pools

Object manager’s initializationDefines the objects that are necessary to construct the object manager namespaceCreates a handle table

Security reference monitor’s initializationInitializes the token type objectPrepare the first local system account token for assignment to the initial process (See chapter 8)


Process manager’s initializationPerforms most of its initialization in phase 0Defines the process and thread object typessets up lists to track active processes and threadCreates the System process and a system thread to execute the routine Phase1Initialization (not started now, ‘cause interrupts are disabled)

Plug and Play manager’s initializationSimply initializes an executive resource used to synchronize bus resources


Phase 1HalInitSystem

Prepare the system to accept interrupts from devicesEnable interrupts

Boot video driver\Windows\System32\Bootvid.dllWindows 2000: Displays the Windows startup screenWindows XP, 2003: presents the same graphic that Ntldr placed on the screen earlier in the boot

Power manager’s initializationThe system time is initialized (by HalQueryRealTimeClock) and then stored as the time the system bootedOn a multiprocessor system, the remaining processors are initialized and execution startsThe progress bar is set to 5 percent


The object manager createsthe namespace root directory (\)\ObjectTypes directoryThe DOS device name mapping directory (\?? On Windows 2000, and \Global?? On Windows XP and Windows Server 2003)\DosDevices symbolic link that points at the DOS device name mapping directory

The executiveCreates the executive object types incluing semaphore, mutex, event, and timer

The kernel initializesscheduler (dispatcher) data structuresSystem service dispatch table


The security reference monitorCreates the \Security directory in the object manager namespaceInitializes auditing data structures if auditing is enabled

The progress bar is set to 10 percentThe memory manager

Creates the section object and the memory manager’s system worker thread (explained in Chapter 7)

National language support (NLS) tables mapped into system spaceNtdll.dll is mapped into the system address spaceThe cache manager

Initializes The file system cache data structuresCreates its worker thread


The configuration managerCreates the \Registry key object in the object manager namespaceCopies the initial registry data passed by Ntldr into the HARDWARE and SYSTEM hives

Global file system driver data structures are initializedThe Plug and Play manager calls the Plug and Play BIOSThe progress bar is set to 20 percentThe local procedure call (LPC) subsystem initializes the LPC port type objectIf the system was booted with boot logging (/BOOTLOG), the boot log file is initializedThe progress bar is set to 25 percent


The I/O manager initializationInitializes various internal structuresCreates the driver and device object typesCalls the Plug and Play manager, power manager, and HAL to begin the various stages of dynamic device enumeration and initialization (See Chapter 9)Windows Management Instrumentation (WMI) is initialized (see Chapter 4)Boot-start drivers are called to perform their driver-specific initializationSystem-start device drivers are loaded and initialization (see Chapter 9)MS-DOS device names are created as symbolic links in the object manager’s namespace


The progress bar is set to 75 percentIf the computer is booting in safe mode, this fact is recording in the registryUnless explicitly disabled in the registry, paging of kernel-mode code (in Ntoskrnl and drivers) is enabledThe progress bar is set to 80 percentThe power manager initialize various power management structuresThe progress bar is set to 85 percentThe security reference monitor creates the Command Server Thread that communicates with Lsass (see Chapter 8)The progress bar is set to 90 percentCreate the Session Manager subsystem (Smss)The progress bar is (finally) set to 100%


Phase 1 initialization thread Waits for the handle to the Session Manager process with timeout value of 5 secondsIf does time out

the system crashes itself with a SESSION5_INITIALIZATION_FAILED bug check code

Elsethe Session Manager is assumed to have started successfullycalls the memory manager’s zero page thread function (explained in Chapter 7)

This system thread becomes the zero page thread for the remainder of the life of the system

Smss (1)Smss (1)

Considered as a trusted part of the operating system by WindowsSo, can perform actions such as creating security tokensIs a native application

Doesn’t use Windows APIsuses only core executive APIs, the Windows native APIBecause the Windows subsystem isn’t executing when Smss launches

Starts the Windows subsystemCalls the configuration manager executive subsystem

initializing the registry

Smss (2)Smss (2)

Fleshing the registry out to include all its keys

Configuration managerRecords the paths to the hives it loads in the HKLM\SYSTEM\CurrentControlSet\Control\hivelist key

Creates an LPC port object (\SmApiPort) and two threads to wait for client requests

Requests such as to load a new subsystem or create a session

Defines the symbolic links for MS-DOS device names

Such as COM1 and LPT1

If terminal service is installedCreates the \Sessions directory in the object manager’s namespace (for multiple sessions)

Smss (3)Smss (3)

Runs programs automaticallyDefined in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecutionTypically, boot-time version of Chkdsk (autochk)

Performs Delayed file rename and delete operations

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperationsHKLM\SYSTEM\CurrentControlSet\Control|Session Manager\PendingFileRenameOperations2

Opens known DLLsThe list of DLLs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

Smss (4)Smss (4)

creates section objects for them in the \Knowndlls directory of the Object Manager namespace

Creates additional paging filesConfiguration: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles

Initialize the registryFleshes out the registry by loading the registry hives for the

HKLM\SAM, HKLM\SECURITY, and HKLM\SOFTWARE keys

Hive locations to look forHKLM\SYSTEM\CurrentControlSet\Control\hivelist\Windows\System32\Config (forced)

Smss (5)Smss (5)

Creates system environment variablesHKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Enviornment

Loads the kernel-mode part of the Windows subsystem (Win32k.sys)

Path to it and its comoments: HKLM\SYSTEM\CurrentControlSet\Control\Session ManagerChanges from the VGA mode to the default resolution chosen for the system

Starts the subsystem processIncluding CsrssOn windows 2000, POSIX and OS/2 subsystems too

Starts the logon process (Winlogon)Create LPC ports for debug event messages (DbgSsApiPort and DbgUiApiPort) and thread to listen on those ports

Smss (6)Smss (6)

Pending File Rename OperationsExecutable images and DLLs are memory-mapped when they are usedImpossible to update core system files after Windows has finished bootingMoveFileEx has an option to specify that a file move be delayed until the next bootType: MULTI_SZValue syntax

Pairs of filenamesSource:\??\C:\Long Directory Name\Long File Name.exe Target: for delete ‘\u0000’

Smss (7)Smss (7)

Main thread in Smss waits forever for the process handles to Csrss and Winlogon

If either of these processes terminates unexpectedlyIn Windows 2000: Smss crashes the systemIf Csrss exits in Windows XP and 2003: the kernel crashes the system

Winlogon (1)Winlogon (1)

Creating the initial window station and desktop objectsIf a DLL specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\WinLogon\GinaDLL

Uses that DLL as the GINA

Otherwise: uses the Microsoft default GINA, Msgina (\Windows\System32\Msgina.dll)

Displays the standard Windows logon dialog boxCreates the service control manager (SCM) process (\Windows\System32\Services.exe)

Loads all services and device drivers marked for auto-start


Create the local security authentication subsystem (Lsass) process (\Windows\System32\Lsass.exe)See the section “Winlogon initialization in Chapter 8The registry last known good control set is updated to match \CurrentControlSet

After SCM initializes the auto-start services and driversAfter a user has successfully logged on at the consoleHKLM\SYSTEM\Select\LastKnowGood

Override the definition of a successful bootHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ReportBootOk to 0Custom boot verification program

HKLM\System\CurrentControlSet\Control\BootVerificationProgramCalls the NotifyBootConfigStatus


Waits for an interactive logon notification from the GINAValidate the logon (see “User Logon Steps” in Ch 8)Loads the registry hive from the profile and maps it to HKCUSets the user’s environment variables

HKCU\Environment

Notifies that a logon has occurredHKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\NotifyEx) AtiExtEvent


Tells GINA to start the shellMsgina launches the executable or executables specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Userinit (separated by commas)

By default: \Windows\System32\Userinit.exe

Userinit.exe performsthe user scripts

HKCU\Software\Policies\Microsoft\Windows\System\Scripts

the machine logon scriptsHKLM\Software\Policies\Microsoft\Windows\System\ScriptsBecause machine scripts run after user scripts, they can override user settings


Starts \Windows\System32\Proquota.exeIf group policy specifies a user profile quotaTo enforce the quota for the current user

Launches the comma-separated shell or shellsHKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ShellBy default: Explorer.exe

Notifies registered network providers that a user has logged in

The Microsoft network provider, Multiple Provider Router(\Windows\System32\Mpr.dll), restores

The user’s persistent drive letter and printer mappingsStored in HCU\Network and HKCU\Printers, respectively

Images that Starts AutomaticallyImages that Starts Automatically

Default system components check and process for automatic process startup during boot and logon processMsconfig utility

Windows XP and Windows Server 2003 (\Windows\System32\Msconfig.exe)Displays the images configured by several of the locations

Sysinternal’s Autoruns tool

EXPERIMENT: AutorunsEXPERIMENT: Autoruns

Troubleshooting Boot and Startup Problems 목차Troubleshooting Boot and Startup Problems 목차

Windows boot-problem recovery modesLast known goodSafe modeRecovery console

Common boot problems

Windows boot-problem recovery modes (1)Windows boot-problem recovery modes (1)

Last Known Good (LKG)System’s configuration settings: HKLM\System\CurrentControlset\ControlDriver and service configuration: HKLM\System\CurrentControlSet\ServicesWhen booting with last known good menu selection

Marks the control set that failed by setting the HKLM\System\Select\Failed valueChanges HKLM\System\Select\Current to HKLM\System\Select\LastKnownGoodUpdates the symbolic link HKLM\System\CurrentControlSet to point at the LastKnowGood control setBecause the new driver’s key is not present, the system will boot successfully


Safe ModeDevice driver crashes the machine during the boot sequence

Software and hardware configurations ca change over time

Concept Windows borrows from Consumer WindowsMinimal set of device drivers and services

Four safe-mode variationSafe ModeSafe Mode With NetworkingSafe Mode With Command PromptDirectory Services Restore mode – except Active Directory Service, can repair operations on the database


Recovery ConsoleIn some situations a safe-mode boot won’t help the system boot

Ex) If a driver that prevents the system from booting is a member of a Safe groupEx) A third-party driver, such as a virus scanner driver, that loads at the boot prevents the system from booting. (Boot-start drivers)Ex) A system module or critical device driver file that is part of a safe-mode configuration becomes corrupt or when the system drive’s Master Boot Record (MBR)

Boot into a limited command-line shellfrom the Windows CD or boot disksto repair an installation without having to boot the installation

Solving Common Boot Problems (1)Solving Common Boot Problems (1)

MBR CorruptionSymptoms: execute the BIOS power-on self test (POST), display BIOS version information or OEM branding, switch to a black screen, and then hang. “Invalid Partition Table,” “Error Loading Operating System,” or “Missing Operating System.”Cause: hard-disk errors, driver bug while Windows is running, or intentional scrambling as a result of virusResolution: Boot into the Recovery Console and execute the fixmbr command. Replace executable code in the MBR. Cannot restore a damaged partition table

Boot Sector CorruptionBoot.ini MisconfigurationSystem File CorruptionSystem Hive CorruptionPost-Splash Screen Crash or Hang


Windows File Protection (WFP)Within WinlogonImplemented in the two DLLs

\Windows\System32\Sfc.dll\Windows\System32\Sfc_os.dll

MonitorsSeveral directories for changes to key drivers, executables, and DLLs, including most subdirectories under \WindowsUsing the native API version of ReadDirectoryChangesW

The file is modified and isn’t MS-signed, rollback with DLLCache

If non-exist: checks in the network install path or in the setup media


Creating diff between failed and current control set after LKG (Last Known Good)

Run Regedit, and select HKLM\System\CurrentControlSetSelect Export from the File menu, and save to a file named good.regOpen HKLM\System\Select, read the value of Failed, and select the subkey named HKLM\System\ControlXXX, where XXX is the value of FailedExport the contents of the control set to bad.regUse Wordpad (which is found under Accessories in the Start menu) to globally replace all instances of “CurrentControlSet” in good.reg with “ControlSet”Use Wordpad to change all instances of “ControlXXX” (replacing XXX with the value of the Failed control set) in bad.reg with “ControlSet”Run Windiff from the Support Tools, and compare the two files

Shutdown (1)Shutdown (1)

Logged-on user shutdown by calling ExitWindowsExA message to Csrss instructing it to perform shutdownCsrss

Terminating all the processes in the interactive user’s session


Logged on user(A)

Csrss Winlogon

1. call

2,5,10. Shutdown msg

ExitWindowsEx

3. Shutdown msg(Logged on user A)

4. Call with special flag(each logged on user)

Processes owning Top-Level window

6. WM_QUERYENDSESSION

7. WM_ENDSESSION

Console Applications

8. CTRL_LOGOFF_EVENT

9. Call to terminateCOM processes related with interactive user’s session

COM processes

11. terminate

Shutdown (2)Shutdown (2)Csrss

For each the request from Winlogon(ie, for each interactive user, not the user who requested a shutdown)In reverse order of their shutdown level

set by calling SetProcessShutdownParametersFor each process that owns a top-level window

For each thread in the process that has a Windows message loop

Sends the WM_QUERYENDSESSION messageIf TRUE, the system shutdown can proceedSends WM_ENDSESSION Windows messageWaits the number of seconds defined in HKCU\Control Panel\Desktop\HungAppTimeoutTimeout! : displays the hung-program dialog box

Terminates the process

EXPERIMENT: Witnessing the HungAppTimeoutEXPERIMENT: Witnessing the HungAppTimeout

Shutdown (3)Shutdown (3)For each console application

Sends the CTRL_LOGOFF_EVENT eventIf FALSE: kills the processIf TRUE or doesn’t respond

HKCU\Control Panel\Desktop\WaitToKillAppTimeOutDisplays the hung-program dialog box

For request from Winlogon by ExitWindowsExTerminates any COM processes that are part of the interactive user’s session

Send messages to all the processes belonging to the system context


Logged on user(A)

Csrss Winlogon

2. Shutdown msg

ExitWindowsEx

SCM

3. WM_QUERYENDSESSION

4. WM_ENDSESSION

GUI threads

5. CTRL_SHUTDOWN_EVENT

1. Call in the systemProcess context

Registered control handlers

6. Service shutdownControl message

Looks at all the

processes belonging

to the system context


Although Csrss performs the same timeouts as when it was terminating the user process

Doesn’t display any dialog boxesDoesn’t kill any processesSimply allow system processes a chance to clean up and exit before the system shutdownMany system processes are in fact still running when the system shuts down: Smss, Winlogon, SCM, Lsass, etc.

After Csrss has finished its pass notifying system processes that the system is shutting down


Winlogon NtShutdownSystem

NtSetSystemPowerState

3. Orchestrate shutdown

1. call

drivers

2. call

The rest ofthe executive subsystems

Plug and Play manager,

Power manager,Executive,

I/O manager,Configuration

manager,Memory manager


System shutdown ends in the power manager.

A shutdown, a reboot, or a power down

ConclusionConclusion

The detailed steps involved in starting and shutting down WindowsWe’re ready to explorer the individual executive components in more detail, starting with processes and threads.

Documents

5 장 Startup and Shutdown 발표자 : 이용석 발표일 : 2006 년 7 월 24 일