1. 5 장 Startup and Shutdown 발표자 : 이용석 발표일 : 2006 년 7 월 24 일

2. 목 차 Boot Process (x86/x64 계열만 ) Troubleshooting Boot and Startup Problems Shutdown Conclusion

3. Boot Process 개괄 (1) BIOS MBR Boot sector Ntldr Ntbootdd.sys loads Boot.ini Hiberfil.sys on existing this Boot.ini entry selection if MS-DOS, bootsect.dos Ntdetect.com displays “Staring Windows”

4. Boot Process 개괄 (2) kernel and HAL images SYSTEM registry hive boot device drivers file system driver boot drivers Ntoskrnl phase 0 Interrupts are disabled KiSystemStartup HalInitializeProcessor KiInitializeKernel

5. Boot Process 개괄 (3) ExpInitializeExecutive HalInitSystem memory manager object manager security reference monitor process manager prepare thread for phase 1 Plug and Play manager Idle loop

6. Boot Process 개괄 (4) phase 1 NLS LPC WMI Command Server Thread Smss Win32k.sys Winlogon GINA SCM services, device drivers, Lsass logon notification from GINA shell from GINA etc.

7. X86 and x64 Boot Process Components (1) ComponentProcess Executionresponsibilities Master Boot Record (MBR) code 16-bit real modeReads and loads partition boot sectors Boot sector16-bit real modeReads the root directory to load Ntldr Ntldr16-bit real mode and 32-bit or 64-bit protected mode; turns on paging Reads Boot.ini, presents boot menu, and loads Ntoskrnl.exe, Bootvid.dll, Hal.dll, and boot-start device drivers. If a 32-bit installation is booted, switches to 32-bit protected mode; if a 64-bit installation is booted, switches to 64- bit long mode Ntdetect.com16-bit real modePerforms hardware detection for Ntldr Ntbootdd.sysProtected modeDevice driver used for disk I/O on SCSI and Advanced Technology Attachment(ATA) systems where the BIOS is not used

8. X86 and x64 Boot Process Components (2) ComponentProcess Executionresponsibilities Ntoskrnl.exeProtected mode with paging Initializes executive subsystems and boot and system-start device drivers, prepares the system for running native applications, and runs Smss.exe Hal.dllProtected mode with paging Kernel-mode DLL that interfaces Ntoskrnl and drivers to the hardware SmssNative applicationLoads Windows subsystem, including Win32k.sys and Scrss.exe, and starts Winlogon process WinlogonNative applicationStarts the service control manager (SCM), starts the Local Security Subsystem (LSASS), and presents interactive logon dialog box Service control manager (SCM) Native applicationLoads and initializes auto-start device drivers and Windows services

9. BIOS (Basic Input/Output System) Encoded into the computer’s ROM Selects a boot device Reads that device’s MBR into memory Transfers constol to the code in MBR

10. MBR (Master Boot Record) Scans the primary partition table for bootable partition Reads boot sector into memory and transfers control

11. Boot sector 각 file system 별로 다른 boot sector code 가 필요 Read-only & root-directory-capable file system Reads Ntldr into memory from the root directory of the system volume Transfers control to Ntldr’s entry point If can’t find “ BOOT: Couldn ’ t find NTLDRP ” for FAT “ NTLDR is missing ” for NTFS

12. NTLDR (1) Begins real mode No virtual-to-physical translation of memory address Use only the first 1MB memory Switch the system to protected mode Still no virtual-to-physical translation Full 32bits of memory address becomes accessible Can access all of physical memory Creating enough page tables to make memory below 16MB accessible with paging turned on Enables paging Boot-code functions briefly switch off paging ‘ cause depends on BIOS for IDE and display For non-IDE (ie. SCSI), loads Ntbootdd.sys which is a copy of the SCSI miniport driver

13. NTLDR (2) Reads the boot.ini using built-in file system code. Like the boot sector ’ s code, read-only But can read subdirectories Clear screen If there is a valid Biberfil.sys in the root of the system volume Read it Transferring control to code in the kernel that resumes a hibernated system Hiberfil.sys will be valid only if the last time the computer was shut down it was hibernated See Chapter 11 for information on hibernation

14. NTLDR (3) If there is more that one boot-selection entry in boot.ini presents the user with the boot-selection menu Selection entries in boot.ini direct Ntldr to the partition on which the Windows system directory This partition is the boot partition or another primary partition If the boot.ini entry refers to and MS-DOS installation By referring to C:\ as system partition Reads the bootsect.dos into memory Switches back to 16-bit read mode Calls the MBR code in Bootsect.dos Continues an MS-DOS-specific boot

15. NTLDR (4) Boot options Can included on entries in boot.ini Bootcfg.exe tool: setting a number of the switches Save to the registry value HKLM\System\CurrentControlSet\Control\SystemStartOptions If doesn’t selected within timeout period Chooses the default selection “ default= “ line 에서 설정한 path 와 matching 되는 path 를 가진 첫 entry Loads and executes Ntdetect.com 16-bit real-mode program Uses a system ’ s BIOS to query the computer for basic device and configuration information

16. NTLDR (5) The time and date information stored in the system ’ s CMOS The types of buses on the system and identifiers for devices attached to the bus The number, size, and types of disk drivers on the system The types of mouse input devices connected to the system The types of parallel ports configured on the system The types of video adapters present on the system This information will be stored under the HKLM\HARDWARE\DESCRIPTION registry key later in the boot Loads boot drivers Windows 2000: displays the “ Starting Windows ” Windows XP and Windows Server 2003: presents a logo splash screen

17. NTLDR (6) If on an x64 system and kernel for x64 Switches the processor to long mode (native word size is 64bit) Loading the files from the boot volume Needed to start the kernel initialization The boot volume corresponds to the partition on which the system directory Loads the appropriate kernel and HAL images By default, Ntoskrnl.exe and Hal.dll) If fails: prints the message “ Windows could not start because the following file was missing or corrupt ”, followed bye the name of the file

18. NTLDR (7) Reads in the SYSTEM registry hive \Windows\System32\Config\System Determine which device drivers need to be loaded to accomplish the boot Scans the in-memory SYSTEM hive and locates all boot device drivers Boot-device drivers drivers necessary to boot the system Indicated in the registry by a start value of SERVICE_BOOT_START(0) (ex: HKLM\SYSTEM\CurrentControlSet\Services\dmio\Start)

19. NTLDR (8) Adds the file system driver The type of partition on which the installation directory resides Must load this driver at this time If it didn ’ t, that would introduce a circular dependency Loads the boot drivers To avoid circular dependency Display a progress bar to indicate the progress of the loading /SOS switch: displays the filenames of each boot driver instead of progress bar Prepares CPU registers for the execution of Ntoskrnl.exe

20. Boot options (1) Boot QualifierMeaning /3GBIncreases the size of the user process address space from 2 GB to 3 GB (and therefore reduces the size of system space from 2 GB to 1 GB). Giving virtual-memory-intensive applications such as database servers a larger address space can improve their performance. For an application to take advantage of this feature, however, two additional conditions must be met: the system must be running Windows XP, Windows Server 2003, Windows 2000 Advanced Server, or Datacenter Server; and the application.exe must be flagged as a 3-GB-aware application (applies to 32-bit systems only). (See the section "Address Space Layout" in Chapter 7 for more information.) /BURNMEMORY=Causes Windows to write a log of the boot to the file %System- Root%\Ntbtlog.txt /BURNMEMORY=Specifies an amount of memory Windows can't use (similar to the /MAXMEM switch). The value is specified in megabytes. Example: /BURNMEMORY=128 would indicate that Windows can't use 128 MB of the total physical memory on the machine. /DEBUGEnables kernel-mode debugging

21. Boot options (2) Boot QualifierMeaning /FASTDETECTDefault boot option for Windows. Replaces the Windows NT 4 switch /NOSERIALMICE. The reason the qualifier exists (vs. just having NTDETECT perform this operation by default) is so that NTDETECT can support booting Windows NT 4. Windows Plug and Play device drivers perform detection of parallel and serial devices, but Windows NT 4 expects NTDETECT to perform the detection. Thus, specifying /FASTDETECT causes NTDETECT to skip parallel and serial device enumeration (actions that are not required when booting Windows), whereas omitting the switch causes NTDETECT to perform this enumeration (which is required for booting Windows NT 4). /MAXMEM=Limits Windows to ignore (not use) physical memory beyond the amount indicated. The number is interpreted in megabytes. Example: /MAXMEM=32 would limit the system to using the first 32 MB of physical memory even if more were present. /SOSCauses Windows to list the device drivers marked to load at boot time and then to display the system version number (including the build number), amount of physical memory, and number of processors

22. Ntoskrnl (1) Receives A copy of the selected line in boot.ini A pointer to the memory tables Ntldr generated to describe the physical memory on the system A pointer to the in-memory copy of the HARDWARE and SYSTEM registry hive A pointer to the list of boot drivers Two-phase initialization process Most executive subsystem initialization functions takes a parameter that identifies which phase is executing

23. Ntoskrnl (2) main // start phase 0 disable interrupts KiSystemStartup HalInitializeProcessor KiInitializeKernel On boot CPU only, systemwide kernel initialization ExpInitializeExecutive HalInitSystem On boot CPU, processing the /BURNMEMORY phase 0 Initialization routines for 5 managers proceeds to Idle loop // end of phase 0

24. Ntoskrnl (3) Phase 0 Interrupts are disabled To build the rudimentary structures required to allow the services needed in phase 1 to be invoked Calls KiSystemStartup calls HalInitializeProccessor and KiInitializeKernel for each CPU KiInitializeKernel On the boot CPU: performs systemwide kernel initialization On other CPUs: calls ExpInitializationExecutive ExpInitializationExecutive responsible for orchestrating phase 0 Calls HAL function HalInitSystem

25. Ntoskrnl (4) ExpInitializationExecutive on boot CPU Processes the /BURNMEMORY boot.ini switch Discarding the amount of memory the switch specifies 참고 : /MAXMEM Calls phase 0 initialization routines: Memory manager, object manager, security reference monitor, process manager, and Plug and Play manager HalInitSystem Gain system control before Windows performs significant further initialization Prepares the system interrupt controller of each CPU for interrupts Configures the interval clock timer interrupt, which used for CPU time accounting (See Chapter 6 for more on CPU time accounting)

26. Ntoskrnl (5) Memory manager ’ s initialization Constructs page tables Prepares internal data structures for basic memory services Builds and reserves an area for the system file cache Creates memory area for the paged and nonpaged pools Object manager ’ s initialization Defines the objects that are necessary to construct the object manager namespace Creates a handle table Security reference monitor ’ s initialization Initializes the token type object Prepare the first local system account token for assignment to the initial process (See chapter 8)

27. Ntoskrnl (6) Process manager ’ s initialization Performs most of its initialization in phase 0 Defines the process and thread object types sets up lists to track active processes and thread Creates the System process and a system thread to execute the routine Phase1Initialization (not started now, ‘cause interrupts are disabled) Plug and Play manager ’ s initialization Simply initializes an executive resource used to synchronize bus resources

28. Ntoskrnl (7) Phase 1 HalInitSystem Prepare the system to accept interrupts from devices Enable interrupts Boot video driver \Windows\System32\Bootvid.dll Windows 2000: Displays the Windows startup screen Windows XP, 2003: presents the same graphic that Ntldr placed on the screen earlier in the boot Power manager ’ s initialization The system time is initialized (by HalQueryRealTimeClock) and then stored as the time the system booted On a multiprocessor system, the remaining processors are initialized and execution starts The progress bar is set to 5 percent

29. Ntoskrnl (8) The object manager creates the namespace root directory (\) \ObjectTypes directory The DOS device name mapping directory (\?? On Windows 2000, and \Global?? On Windows XP and Windows Server 2003) \DosDevices symbolic link that points at the DOS device name mapping directory The executive Creates the executive object types incluing semaphore, mutex, event, and timer The kernel initializes scheduler (dispatcher) data structures System service dispatch table

30. Ntoskrnl (9) The security reference monitor Creates the \Security directory in the object manager namespace Initializes auditing data structures if auditing is enabled The progress bar is set to 10 percent The memory manager Creates the section object and the memory manager’s system worker thread (explained in Chapter 7) National language support (NLS) tables mapped into system space Ntdll.dll is mapped into the system address space The cache manager Initializes The file system cache data structures Creates its worker thread

31. Ntoskrnl (10) The configuration manager Creates the \Registry key object in the object manager namespace Copies the initial registry data passed by Ntldr into the HARDWARE and SYSTEM hives Global file system driver data structures are initialized The Plug and Play manager calls the Plug and Play BIOS The progress bar is set to 20 percent The local procedure call (LPC) subsystem initializes the LPC port type object If the system was booted with boot logging (/BOOTLOG), the boot log file is initialized The progress bar is set to 25 percent

32. Ntoskrnl (11) The I/O manager initialization Initializes various internal structures Creates the driver and device object types Calls the Plug and Play manager, power manager, and HAL to begin the various stages of dynamic device enumeration and initialization (See Chapter 9) Windows Management Instrumentation (WMI) is initialized (see Chapter 4) Boot-start drivers are called to perform their driver-specific initialization System-start device drivers are loaded and initialization (see Chapter 9) MS-DOS device names are created as symbolic links in the object manager’s namespace

33. Ntoskrnl (12) The progress bar is set to 75 percent If the computer is booting in safe mode, this fact is recording in the registry Unless explicitly disabled in the registry, paging of kernel-mode code (in Ntoskrnl and drivers) is enabled The progress bar is set to 80 percent The power manager initialize various power management structures The progress bar is set to 85 percent The security reference monitor creates the Command Server Thread that communicates with Lsass (see Chapter 8) The progress bar is set to 90 percent Create the Session Manager subsystem (Smss) The progress bar is (finally) set to 100%

34. Ntoskrnl (13) Phase 1 initialization thread Waits for the handle to the Session Manager process with timeout value of 5 seconds If does time out the system crashes itself with a SESSION5_INITIALIZATION_FAILED bug check code Else the Session Manager is assumed to have started successfully calls the memory manager ’ s zero page thread function (explained in Chapter 7) This system thread becomes the zero page thread for the remainder of the life of the system

35. Smss (1) Considered as a trusted part of the operating system by Windows So, can perform actions such as creating security tokens Is a native application Doesn ’ t use Windows APIs uses only core executive APIs, the Windows native API Because the Windows subsystem isn ’ t executing when Smss launches Starts the Windows subsystem Calls the configuration manager executive subsystem initializing the registry

36. Smss (2) Fleshing the registry out to include all its keys Configuration manager Records the paths to the hives it loads in the HKLM\SYSTEM\CurrentControlSet\Control\hivelist key Creates an LPC port object (\SmApiPort) and two threads to wait for client requests Requests such as to load a new subsystem or create a session Defines the symbolic links for MS-DOS device names Such as COM1 and LPT1 If terminal service is installed Creates the \Sessions directory in the object manager ’ s namespace (for multiple sessions)

37. Smss (3) Runs programs automatically Defined in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecution Typically, boot-time version of Chkdsk (autochk) Performs Delayed file rename and delete operations HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations HKLM\SYSTEM\CurrentControlSet\Control|Session Manager\PendingFileRenameOperations2 Opens known DLLs The list of DLLs in HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\KnownDLLs

38. Smss (4) creates section objects for them in the \Knowndlls directory of the Object Manager namespace Creates additional paging files Configuration: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PagingFiles Initialize the registry Fleshes out the registry by loading the registry hives for the HKLM\SAM, HKLM\SECURITY, and HKLM\SOFTWARE keys Hive locations to look for HKLM\SYSTEM\CurrentControlSet\Control\hivelist \Windows\System32\Config (forced)

39. Smss (5) Creates system environment variables HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Enviornment Loads the kernel-mode part of the Windows subsystem (Win32k.sys) Path to it and its comoments: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager Changes from the VGA mode to the default resolution chosen for the system Starts the subsystem process Including Csrss On windows 2000, POSIX and OS/2 subsystems too Starts the logon process (Winlogon) Create LPC ports for debug event messages (DbgSsApiPort and DbgUiApiPort) and thread to listen on those ports

40. Smss (6) Pending File Rename Operations Executable images and DLLs are memory-mapped when they are used Impossible to update core system files after Windows has finished booting MoveFileEx has an option to specify that a file move be delayed until the next boot Type: MULTI_SZ Value syntax Pairs of filenames Source:\??\C:\Long Directory Name\Long File Name.exe Target: for delete ‘\u0000’

41. Smss (7) Main thread in Smss waits forever for the process handles to Csrss and Winlogon If either of these processes terminates unexpectedly In Windows 2000: Smss crashes the system If Csrss exits in Windows XP and 2003: the kernel crashes the system

42. Winlogon (1) Creating the initial window station and desktop objects If a DLL specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersio n\WinLogon\GinaDLL Uses that DLL as the GINA Otherwise: uses the Microsoft default GINA, Msgina (\Windows\System32\Msgina.dll) Displays the standard Windows logon dialog box Creates the service control manager (SCM) process (\Windows\System32\Services.exe) Loads all services and device drivers marked for auto-start

43. Winlogon (2) Create the local security authentication subsystem (Lsass) process (\Windows\System32\Lsass.exe) See the section “Winlogon initialization in Chapter 8 The registry last known good control set is updated to match \CurrentControlSet After SCM initializes the auto-start services and drivers After a user has successfully logged on at the console HKLM\SYSTEM\Select\LastKnowGood Override the definition of a successful boot HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\Report BootOk to 0 Custom boot verification program HKLM\System\CurrentControlSet\Control\BootVerificationProgram Calls the NotifyBootConfigStatus

44. Winlogon (3) Waits for an interactive logon notification from the GINA Validate the logon (see “User Logon Steps” in Ch 8) Loads the registry hive from the profile and maps it to HKCU Sets the user’s environment variables HKCU\Environment Notifies that a logon has occurred HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ Notify Ex) AtiExtEvent

45. Winlogon (4) Tells GINA to start the shell Msgina launches the executable or executables specified in HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon\ Userinit (separated by commas) By default: \Windows\System32\Userinit.exe Userinit.exe performs the user scripts HKCU\Software\Policies\Microsoft\Windows\System\Scripts the machine logon scripts HKLM\Software\Policies\Microsoft\Windows\System\Scripts Because machine scripts run after user scripts, they can override user settings

46. Winlogon (5) Starts \Windows\System32\Proquota.exe If group policy specifies a user profile quota To enforce the quota for the current user Launches the comma-separated shell or shells HKCU\Software\Microsoft\WindowsNT\CurrentVersion\Winlog on\Shell By default: Explorer.exe Notifies registered network providers that a user has logged in The Microsoft network provider, Multiple Provider Router(\Windows\System32\Mpr.dll), restores The user’s persistent drive letter and printer mappings Stored in HCU\Network and HKCU\Printers, respectively

47. Images that Starts Automatically Default system components check and process for automatic process startup during boot and logon process Msconfig utility Windows XP and Windows Server 2003 (\Windows\System32\Msconfig.exe) Displays the images configured by several of the locations Sysinternal’s Autoruns tool

48. EXPERIMENT: Autoruns

49. Troubleshooting Boot and Startup Problems 목차 Windows boot-problem recovery modes Last known good Safe mode Recovery console Common boot problems

50. Windows boot-problem recovery modes (1) Last Known Good (LKG) System ’ s configuration settings: HKLM\System\CurrentControlset\Control Driver and service configuration: HKLM\System\CurrentControlSet\Services When booting with last known good menu selection Marks the control set that failed by setting the HKLM\System\Select\Failed value Changes HKLM\System\Select\Current to HKLM\System\Select\LastKnownGood Updates the symbolic link HKLM\System\CurrentControlSet to point at the LastKnowGood control set Because the new driver’s key is not present, the system will boot successfully

51. Windows boot-problem recovery modes (2) Safe Mode Device driver crashes the machine during the boot sequence Software and hardware configurations ca change over time Concept Windows borrows from Consumer Windows Minimal set of device drivers and services Four safe-mode variation Safe Mode Safe Mode With Networking Safe Mode With Command Prompt Directory Services Restore mode – except Active Directory Service, can repair operations on the database

52. Windows boot-problem recovery modes (3) Recovery Console In some situations a safe-mode boot won ’ t help the system boot Ex) If a driver that prevents the system from booting is a member of a Safe group Ex) A third-party driver, such as a virus scanner driver, that loads at the boot prevents the system from booting. (Boot- start drivers) Ex) A system module or critical device driver file that is part of a safe-mode configuration becomes corrupt or when the system drive’s Master Boot Record (MBR) Boot into a limited command-line shell from the Windows CD or boot disks to repair an installation without having to boot the installation

53. Solving Common Boot Problems (1) MBR Corruption Symptoms: execute the BIOS power-on self test (POST), display BIOS version information or OEM branding, switch to a black screen, and then hang. “ Invalid Partition Table, ” “ Error Loading Operating System, ” or “ Missing Operating System. ” Cause: hard-disk errors, driver bug while Windows is running, or intentional scrambling as a result of virus Resolution: Boot into the Recovery Console and execute the fixmbr command. Replace executable code in the MBR. Cannot restore a damaged partition table Boot Sector Corruption Boot.ini Misconfiguration System File Corruption System Hive Corruption Post-Splash Screen Crash or Hang

54. Solving Common Boot Problems (2) Windows File Protection (WFP) Within Winlogon Implemented in the two DLLs \Windows\System32\Sfc.dll \Windows\System32\Sfc_os.dll Monitors Several directories for changes to key drivers, executables, and DLLs, including most subdirectories under \Windows Using the native API version of ReadDirectoryChangesW The file is modified and isn ’ t MS-signed, rollback with DLLCache If non-exist: checks in the network install path or in the setup media

55. Solving Common Boot Problems (3) Creating diff between failed and current control set after LKG (Last Known Good) Run Regedit, and select HKLM\System\CurrentControlSet Select Export from the File menu, and save to a file named good.reg Open HKLM\System\Select, read the value of Failed, and select the subkey named HKLM\System\ControlXXX, where XXX is the value of Failed Export the contents of the control set to bad.reg Use Wordpad (which is found under Accessories in the Start menu) to globally replace all instances of “ CurrentControlSet ” in good.reg with “ ControlSet ” Use Wordpad to change all instances of “ ControlXXX ” (replacing XXX with the value of the Failed control set) in bad.reg with “ ControlSet ” Run Windiff from the Support Tools, and compare the two files

56. Shutdown (1) Logged-on user shutdown by calling ExitWindowsEx A message to Csrss instructing it to perform shutdown Csrss

57. Terminating all the processes in the interactive user’s session Shutdown (1) Logged on user (A) CsrssWinlogon 1. call 2,5,10. Shutdown msg ExitWindowsEx 3. Shutdown msg (Logged on user A) 4. Call with special flag (each logged on user) Processes owning Top-Level window 6. WM_QUERYENDSESSION 7. WM_ENDSESSION Console Applications 8. CTRL_LOGOFF_EVENT 9. Call to terminate COM processes related with interactive user’s session COM processes 11. terminate

58. Shutdown (2) Csrss For each the request from Winlogon (ie, for each interactive user, not the user who requested a shutdown) In reverse order of their shutdown level set by calling SetProcessShutdownParameters For each process that owns a top-level window For each thread in the process that has a Windows message loop Sends the WM_QUERYENDSESSION message If TRUE, the system shutdown can proceed Sends WM_ENDSESSION Windows message Waits the number of seconds defined in HKCU\Control Panel\Desktop\HungAppTimeout Timeout! : displays the hung-program dialog box Terminates the process

59. EXPERIMENT: Witnessing the HungAppTimeout

60. Shutdown (3) For each console application Sends the CTRL_LOGOFF_EVENT event If FALSE: kills the process If TRUE or doesn’t respond HKCU\Control Panel\Desktop\WaitToKillAppTimeOut Displays the hung-program dialog box For request from Winlogon by ExitWindowsEx Terminates any COM processes that are part of the interactive user ’ s session

61. Send messages to all the processes belonging to the system context Shutdown (4) Logged on user (A) CsrssWinlogon 2. Shutdown msg ExitWindowsEx SCM 3. WM_QUERYENDSESSION 4. WM_ENDSESSION GUI threads 5. CTRL_SHUTDOWN_EVENT 1. Call in the system Process context Registered control handlers 6. Service shutdown Control message Looks at all the processes belonging to the system context

62. Shutdown (5) Although Csrss performs the same timeouts as when it was terminating the user process Doesn ’ t display any dialog boxes Doesn ’ t kill any processes Simply allow system processes a chance to clean up and exit before the system shutdown Many system processes are in fact still running when the system shuts down: Smss, Winlogon, SCM, Lsass, etc.

63. After Csrss has finished its pass notifying system processes that the system is shutting down Shutdown (6) WinlogonNtShutdownSystem NtSetSystemPowerState 3. Orchestrate shutdown 1. call drivers 2. call The rest of the executive subsystems Plug and Play manager, Power manager, Executive, I/O manager, Configuration manager, Memory manager

64. Shutdown (7) System shutdown ends in the power manager. A shutdown, a reboot, or a power down

65. Conclusion The detailed steps involved in starting and shutting down Windows We’re ready to explorer the individual executive components in more detail, starting with processes and threads.