COMP2221COMP2221

Networks in OrganisationsNetworks in Organisations

University of WorcesterUniversity of Worcester

MarchMarch 20122012

Week 6: Booting up a Week 6: Booting up a Network Operating SystemNetwork Operating System

Objectives:Objectives:– Describe the software layers of a network Describe the software layers of a network

operating system operating system – Describe each of the six boot-up stagesDescribe each of the six boot-up stages– Explain the terms firmware, ACPI, and Explain the terms firmware, ACPI, and

plug-n-playplug-n-play– Relate the booting up process to the Relate the booting up process to the

principle of fault toleranceprinciple of fault tolerance

Architecture of a NOSArchitecture of a NOS

os kernel (diff versions for diff hardware)

CPU, network card

operating i/o subsystem, system functions

User Interface

BIOS

Stages in Boot UpStages in Boot Up

Load & run hardware test softwareLoad & run hardware test software If hardware all OK, load essential operating If hardware all OK, load essential operating

system components into memory and executesystem components into memory and execute Either Either

– present user interface for immediate usepresent user interface for immediate use

OrOr– present logon screen present logon screen

– create user interface according to logon credentialscreate user interface according to logon credentials

Why does A Windows Boot-up Why does A Windows Boot-up take so long?take so long?

Lot of software needs to be loaded, Lot of software needs to be loaded, mostly from hard disk…mostly from hard disk…

Six “fault tolerant” stages required Six “fault tolerant” stages required before the user gets their desktop:before the user gets their desktop:– Power-on self test (POST)Power-on self test (POST)– Initial startupInitial startup– Boot loaderBoot loader– Detect and configure hardwareDetect and configure hardware– Kernel loadingKernel loading– LogonLogon

Stage 1: POSTStage 1: POST

No matter which operating system is No matter which operating system is installed…installed…– CPU starts up & loads BIOS software from CPU starts up & loads BIOS software from

motherboard ROMmotherboard ROM– CPU runs POST programCPU runs POST program

» POST = Power-On Self-TestPOST = Power-On Self-Test» essential to check that basic hardware is OK essential to check that basic hardware is OK

before loading ANY operating system into before loading ANY operating system into memory…memory…

POST…POST… Checks the following:Checks the following:

– crucial hardware matters, such as amount of crucial hardware matters, such as amount of memory presentmemory present

– presence of the devices needed to start the presence of the devices needed to start the operating systemoperating system

Retrieves:Retrieves:– low level functions from BIOS (basic input-output low level functions from BIOS (basic input-output

system)system)– system configuration settings from CMOS memory system configuration settings from CMOS memory

(complementary metal-oxide semiconductor)(complementary metal-oxide semiconductor) If POST fails… screen errors indicate If POST fails… screen errors indicate

hardware faults. Replace & restart…hardware faults. Replace & restart…

Stage 2: Initial Start-upStage 2: Initial Start-up Other BIOS-controlled processes:Other BIOS-controlled processes:

– motherboard “add-on” adapters run their motherboard “add-on” adapters run their own firmware carry out internal diagnostic own firmware carry out internal diagnostic teststests» e.g. video and hard drive controllerse.g. video and hard drive controllers

– settings in CMOS memory determine the settings in CMOS memory determine the device(s) the computer will use to load an device(s) the computer will use to load an operating systemoperating system» e.g. floppy disk, hard disk, CD/DVD, USBe.g. floppy disk, hard disk, CD/DVD, USB» fault tolerance: if device not working reboot and fault tolerance: if device not working reboot and

change CMOS “boot” settingschange CMOS “boot” settings

Stage 3: The Boot LoaderStage 3: The Boot Loader

In a pre-Windows operating system:In a pre-Windows operating system:– files all loaded from media into memoryfiles all loaded from media into memory– executed to create a command line executed to create a command line

interface…interface…– option for user to type username/passwordoption for user to type username/password

To set up a GUI (Graphical User To set up a GUI (Graphical User Interface) a lot more needs to happen…Interface) a lot more needs to happen…– especiallyespecially with Windows/NT combo… with Windows/NT combo…

» all systems XP onwardsall systems XP onwards

Stage 3: Stage 3: Windows Boot LoaderWindows Boot Loader

First boot device in the CMOS boot list First boot device in the CMOS boot list activatedactivated– ““boot loader” file (NTLDR) detected and boot loader” file (NTLDR) detected and

loaded from activated disk’s boot sector…loaded from activated disk’s boot sector… If NTLDR is not found…If NTLDR is not found…

– depending on the device:depending on the device:» EITHER an error may comes up…EITHER an error may comes up…

Fault tolerance:Fault tolerance: if file(s) corrupted, can be booted up to if file(s) corrupted, can be booted up to cmd prompt and corrupted files replaced…cmd prompt and corrupted files replaced…

» OR control may pass to the next device on the OR control may pass to the next device on the listlist

Stage 3: The Boot LoaderStage 3: The Boot Loader

NTLDR…NTLDR…– sets the system for “32-bit mode”sets the system for “32-bit mode”– ““starts” the file system (e.g. NTFS)starts” the file system (e.g. NTFS)

» i.e. loads into memoryi.e. loads into memory

» executes through CPUexecutes through CPU

– loads other essential start-up files loads other essential start-up files from designated partition on chosen from designated partition on chosen disk:disk:

» Boot.ini – partition boot optionsBoot.ini – partition boot options

» Ntdetect.com – hardware detectionNtdetect.com – hardware detection

» Ntbootdd.sysNtbootdd.sys

» Ntoskrnl.exeNtoskrnl.exe

» Hal.dllHal.dll

Hard disk

boot sector

RAM

data

CPU

Stage 4: Detecting and Stage 4: Detecting and Configuring HardwareConfiguring Hardware

NTDETECT then loaded:NTDETECT then loaded:– extracts text info from:extracts text info from:

» boot.iniboot.ini file file» the registrythe registry

– gets hardware data from firmware routinesgets hardware data from firmware routines– passes data gathered to NTLDRpasses data gathered to NTLDR

NTLDRNTLDR– structures data from NTDETECTstructures data from NTDETECT– passes it to NTOSKRNLpasses it to NTOSKRNL

Stage 5: Kernel LoadingStage 5: Kernel Loading

All this, and still no All this, and still no operating system operating system kernel has been kernel has been loaded!loaded!

Now… NTLDR creates the Now… NTLDR creates the “WINDOWS EXECUTIVE” “WINDOWS EXECUTIVE” to control the kernel…to control the kernel…

Hard disk

Operating system kernel

RAM

data

CPU

Stage 5: Setting up the Kernel Stage 5: Setting up the Kernel Windows is potentially multi-platformWindows is potentially multi-platform NTLDR selects correct hardware NTLDR selects correct hardware

abstraction layer fileabstraction layer file– HAL.dll by default (Standard Intel PC)HAL.dll by default (Standard Intel PC)

Other Example HAL files:Other Example HAL files:» Halacpi.dll (Advanced Configuration and Power Halacpi.dll (Advanced Configuration and Power

Interface (ACPI) PC)Interface (ACPI) PC)» Halmacpi.dll (ACPI Multiprocessor)Halmacpi.dll (ACPI Multiprocessor)» Halaacpi.dll (ACPI Uniprocessor)Halaacpi.dll (ACPI Uniprocessor)

Fault tolerance: as with stage 4… use cmd prompt Fault tolerance: as with stage 4… use cmd prompt to recopy file(s)to recopy file(s)

Stage 5: Setting up the Stage 5: Setting up the “Live” Registry“Live” Registry

Still controlled by NTLDR…Still controlled by NTLDR…– CPU reads & processes CPU reads & processes systemrootsystemroot\\

System32\Config\System fileSystem32\Config\System file» contains essential information for determining contains essential information for determining

which drivers need to be loadedwhich drivers need to be loaded

– CPU creates HKEY_LOCAL_ MACHINE\SYSTEM CPU creates HKEY_LOCAL_ MACHINE\SYSTEM registry keyregistry key» usually includes several “control sets” as subkeysusually includes several “control sets” as subkeys» set up and presented as menu options before the set up and presented as menu options before the

system key can be usedsystem key can be used

Stage 5: Kernel Fault ToleranceStage 5: Kernel Fault Tolerance(Registry - System key “control sets”)(Registry - System key “control sets”)

Configuration depends on the registry. Configuration depends on the registry. Fault tolerance provides a range of Fault tolerance provides a range of “Control Sets”:“Control Sets”:

» \CurrentControlSet, a pointer to a ControlSet\CurrentControlSet, a pointer to a ControlSetxxxxxx subkeysubkey

wherewhere xxx xxx represents a control set number, such as represents a control set number, such as 001 designated in the \Select\Current entry001 designated in the \Select\Current entry

» \Clone\Clone a copy of \CurrentControlSet, created each time the a copy of \CurrentControlSet, created each time the

computer startscomputer starts

» \\Select options (next slide)Select options (next slide)

\SELECT control set options\SELECT control set options 1. Default:1. Default:

– points to the control set number for next points to the control set number for next startupstartup» e.g. 001=ControlSet001e.g. 001=ControlSet001» if no error or manual invocation of the if no error or manual invocation of the

“LastKnownGood” startup option“LastKnownGood” startup option assuming that a user is able to log on successfully…assuming that a user is able to log on successfully… BECOMES the Default, Current, and BECOMES the Default, Current, and

LastKnownGood entriesLastKnownGood entries

2.2. Current:Current:– last control set that was used to start the last control set that was used to start the

systemsystem

\SELECT control set \SELECT control set optionsoptions

3. “Failed”:3. “Failed”:– a control set that did not start Windows XP a control set that did not start Windows XP

Professional successfullyProfessional successfully– updated when the LastKnownGood option is used updated when the LastKnownGood option is used

to start the system.to start the system. 4. LastKnownGood:4. LastKnownGood:

– the control set used during the last user sessionthe control set used during the last user session– updated during logon with configuration

information from the previous user session

Creating the “Hardware” KeyCreating the “Hardware” Key Once the Control Set is loaded…Once the Control Set is loaded…

– kernelkernel uses the data structures provided by NTLDR uses the data structures provided by NTLDR to create the HKEY_LOCAL_MACHINE\to create the HKEY_LOCAL_MACHINE\HARDWARE keyHARDWARE key

» hardware data collected at system startuphardware data collected at system startup» includes information about various hardware components includes information about various hardware components

and system resources allocated to each deviceand system resources allocated to each device

The Starting up progress indicator at the bottom The Starting up progress indicator at the bottom of the screen monitors and displays aspects of of the screen monitors and displays aspects of the kernel load process during the creation of the kernel load process during the creation of this keythis key

Drivers, Services, and Drivers, Services, and Kernel InitiationKernel Initiation

Drivers:Drivers:– kernel-mode components required by kernel-mode components required by

devices to function with the operating devices to function with the operating systemsystem

Services:Services:– components that support operating system components that support operating system

functions and applicationsfunctions and applications– can run in various different contextscan run in various different contexts– typically do not offer many user-configurable typically do not offer many user-configurable

optionsoptions Drivers are treated as services…Drivers are treated as services…

Which Services are loaded Which Services are loaded during kernel initiation?during kernel initiation?

Services loaded before user loginServices loaded before user login– act independently of the user act independently of the user – typically stored in the typically stored in the systemrootsystemroot\System32 and \System32 and

systemrootsystemroot\System32\Drivers folders\System32\Drivers folders– use .exe, .sys, or .dll file name extensionsuse .exe, .sys, or .dll file name extensions

Each Service has a “start” value to determine Each Service has a “start” value to determine conditions of loading…conditions of loading…– can be altered by those with admin rightscan be altered by those with admin rights

Service “Start” valuesService “Start” values 0 (Boot)0 (Boot)

– Specifies a driver that is loaded (but not started) Specifies a driver that is loaded (but not started) by firmware calls made by Ntldr. If no errors occur, by firmware calls made by Ntldr. If no errors occur, the kernel starts the driver.the kernel starts the driver.

1 (System)1 (System)– Specifies a driver that loads at kernel initialization Specifies a driver that loads at kernel initialization

during the startup sequence by calling Windows during the startup sequence by calling Windows XP Professional boot drivers.XP Professional boot drivers.

2 (Auto load)2 (Auto load)– Specifies a driver or service that will be initialized Specifies a driver or service that will be initialized

at system startup by Session Manager (Smss.exe) at system startup by Session Manager (Smss.exe) or Service Controller (Services.exe)or Service Controller (Services.exe)

More “Start” valuesMore “Start” values

3 (Load on demand)3 (Load on demand)– a driver or service that is manually a driver or service that is manually

started by a user, a process, or started by a user, a process, or another serviceanother service

4 (Disabled)4 (Disabled)– a disabled (not started) driver or a disabled (not started) driver or

serviceservice

Loading Services and creating Loading Services and creating the system keythe system key

During kernel initialization:During kernel initialization:– NTLDR reads HKEY_LOCAL_MACHINE\NTLDR reads HKEY_LOCAL_MACHINE\

SYSTEM\CurrentControlSet\Services\SYSTEM\CurrentControlSet\Services\servicename, then…servicename, then…» Ntldr searches the Services subkey for drivers Ntldr searches the Services subkey for drivers

with a Start value of 0with a Start value of 0 e.g. hard disk controllerse.g. hard disk controllers

» Ntoskrnl.exe searches for and starts drivers, Ntoskrnl.exe searches for and starts drivers, that have a Start value of 1that have a Start value of 1

e.g. network protocolse.g. network protocols

Kernel Control…Kernel Control… Starts the Starts the session managersession manager

– SMss.exeSMss.exe Important initialization functions:Important initialization functions:

– creates system environment creates system environment variablesvariables

– starts kernel-mode part of the starts kernel-mode part of the Windows subsystemWindows subsystem» loaded from loaded from systemrootsystemroot\System32\\System32\

Win32k.sysWin32k.sys

More about Session ManagerMore about Session Manager

Enables Windows to switch from text mode Enables Windows to switch from text mode (16-bit) to graphics mode (32-bit)(16-bit) to graphics mode (32-bit)

User-modeUser-mode portion of the Windows portion of the Windows subsystem loaded from subsystem loaded from systemrootsystemroot\System32\Csrss.exe \System32\Csrss.exe – Windows-based applications can run in Windows-based applications can run in

“Windows subsystem”“Windows subsystem”– applications can now access operating system applications can now access operating system

functions, e.g. displaying information to the functions, e.g. displaying information to the screenscreen

Session Manager (continued)Session Manager (continued)

Windows subsystem and the Windows subsystem and the applications that run within it are all applications that run within it are all “user mode” processes“user mode” processes– run at a lower priority than kernel-mode run at a lower priority than kernel-mode

processes processes – no direct access to hardware or device no direct access to hardware or device

driversdrivers– virtual memory (if required) dependent on virtual memory (if required) dependent on

the kernel to page memory from user-mode the kernel to page memory from user-mode processes to diskprocesses to disk

Session Manager (continued)Session Manager (continued) Logon Manager loaded from Logon Manager loaded from

systemrootsystemroot\System32\Winlogon.exe\System32\Winlogon.exe– creates additional virtual memory paging creates additional virtual memory paging

filesfiles– performs delayed rename operations for performs delayed rename operations for

files listed in the registry key files listed in the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Control\Session Manager\PendingFileRenameOperationsPendingFileRenameOperations» e.g. prompts to restart the computere.g. prompts to restart the computer

after installing a new driver or application after installing a new driver or application so that the file in use can be replacedso that the file in use can be replaced

Session Manager (continued)Session Manager (continued) Finally, searches the registry for service Finally, searches the registry for service

information that is contained in the following information that is contained in the following subkeys:subkeys:– HKEY_LOCAL_MACHINE\SYSTEM\HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Control\Session ManagerCurrentControlSet\Control\Session Manager– HKEY_LOCAL_MACHINE\SYSTEM\HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Services\CurrentControlSet\Services\servicenameservicename– HKEY_LOCAL_MACHINE\SYSTEM\HKEY_LOCAL_MACHINE\SYSTEM\

CurrentControlSet\Control\Session ManagerCurrentControlSet\Control\Session Manager\Subsystems\Subsystems

Subkey Information for SMssSubkey Information for SMss

Session Manager key provides a list of Session Manager key provides a list of commands to be executed before commands to be executed before loading servicesloading services– e.g. Autochk.exe toole.g. Autochk.exe tool

» specified by the value of the BootExecute specified by the value of the BootExecute entry and virtual memory (paging file) settings entry and virtual memory (paging file) settings stored in the Memory Management subkeystored in the Memory Management subkey

» version of the Chkdsk toolversion of the Chkdsk tool

» runs at startup if the operating system detects runs at startup if the operating system detects a file system problem that requires repair a file system problem that requires repair before completing the startup processbefore completing the startup process

Subkey Information for SMssSubkey Information for SMss

Service Control Manager key initializes Service Control Manager key initializes services that the Start entry has services that the Start entry has designated as Auto-loaddesignated as Auto-load

Finally, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Finally, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubsystemsControl\Session Manager\Subsystems

– available subsystemsavailable subsystems– allows Csrss.exe (user-mode portion of the allows Csrss.exe (user-mode portion of the

Windows subsystem) to be selectedWindows subsystem) to be selected NO WONDER IT TAKES SO LONG!!!NO WONDER IT TAKES SO LONG!!!

Stage 6: Logon PhaseStage 6: Logon Phase Managed by Winlogon.exeManaged by Winlogon.exe

– initializes security and authentication initializes security and authentication componentscomponents

– starts the Services subsystem or Service starts the Services subsystem or Service Control Manager (SCM): services.exeControl Manager (SCM): services.exe» starts the Local Security Authority (LSA) starts the Local Security Authority (LSA)

process (lsass.exe)process (lsass.exe)» parses the Ctrl+Alt+Del key combination at the parses the Ctrl+Alt+Del key combination at the

Begin Logon promptBegin Logon prompt

Logon PhaseLogon Phase

The The Graphical Identification and Graphical Identification and AuthenticationAuthentication (GINA) component: (GINA) component:– collects the user name and passwordcollects the user name and password– passes this information securely to the LSA passes this information securely to the LSA

for authenticationfor authentication– if the user supplied valid credentials, if the user supplied valid credentials,

access is granted by using either the access is granted by using either the Kerberos V 5 authentication protocol or Kerberos V 5 authentication protocol or NTLMNTLM

Logon PhaseLogon Phase After the user has logged on:After the user has logged on:

– control sets are updated according to control sets are updated according to group policy settingsgroup policy settings

– changes to local registry settings take changes to local registry settings take effecteffect

– user startup programs run e.g.user startup programs run e.g.» login scriptslogin scripts» programs in startup foldersprograms in startup folders» services found in registry subkeys & folder services found in registry subkeys & folder

locationslocations

Logon PhaseLogon Phase ServicesServices loaded from these registry subkeys: loaded from these registry subkeys:

» HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunonceWindows\CurrentVersion\Runonce

» HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\RunWindows\CurrentVersion\policies\Explorer\Run

» HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunWindows\CurrentVersion\Run

» HKEY_CURRENT_USER\Software\Microsoft\Windows HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\ RunNT\CurrentVersion\Windows\ Run

» HKEY_CURRENT_USER\Software\Microsoft\Windows\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunCurrentVersion\Run

» HKEY_CURRENT_USER\Software\Microsoft\Windows\HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnceCurrentVersion\RunOnce

Logon PhaseLogon Phase

ServicesServices loaded from these folder loaded from these folder locations…locations…– ssystemdriveystemdrive\Documents and Settings\All \Documents and Settings\All

Users\Start Menu\Programs\StartupUsers\Start Menu\Programs\Startup– systemdrivesystemdrive\Documents and Settings\\Documents and Settings\

usernameusername\Start Menu\Programs\ Startup\Start Menu\Programs\ Startup– windirwindir\Profiles\All Users\Start Menu\\Profiles\All Users\Start Menu\

Programs\StartupPrograms\Startup– windirwindir\Profiles\\Profiles\usernameusername\Start Menu\\Start Menu\

Programs\StartupPrograms\Startup

Concluding Logon Phase…Concluding Logon Phase… Winlogon provides Plug and Play support for Winlogon provides Plug and Play support for

computers equipped with ACPI firmware computers equipped with ACPI firmware (Advanced Configuration & Power Interface):(Advanced Configuration & Power Interface):– enables enhanced features, e.g hardware resource enables enhanced features, e.g hardware resource

sharingsharing– especially useful for “especially useful for “mobile” mobile” usersusers

» use portable computers that support standby, hibernation, use portable computers that support standby, hibernation, hot and warm docking, or undocking featureshot and warm docking, or undocking features

Plug and Play Device DetectionPlug and Play Device Detection– runs asynchronously with the logon processruns asynchronously with the logon process– relies on system firmware, hardware, device driver, relies on system firmware, hardware, device driver,

and operating system e.g. ACPI to detect and and operating system e.g. ACPI to detect and enumerate new devicesenumerate new devices

Protecting the Server SoftwareProtecting the Server Software

All hardware can go wrong and should have a All hardware can go wrong and should have a backupbackup

What of software… need tools…What of software… need tools…– what to backup?what to backup?– when to backup?when to backup?– how to backup?how to backup?– where to put the backup?where to put the backup?– how long to keep the backup?how long to keep the backup?– can the backed up software be fully restored…can the backed up software be fully restored…

Client Files BackupClient Files Backup

Windows (XP onwards) presents four Windows (XP onwards) presents four backup choices:backup choices:– all filesall files– current user settingscurrent user settings– all user settingsall user settings– custom choicecustom choice

» can choose between anything from all files and can choose between anything from all files and folders to nonefolders to none

Where to backup to?Where to backup to? Computer hard disk?Computer hard disk?

– ideal backup location is a separate partition on the same diskideal backup location is a separate partition on the same disk– e.g. hard disk is partitioned into drive C and drive De.g. hard disk is partitioned into drive C and drive D

» data is on drive Cdata is on drive C

» can safely it back up to drive D.can safely it back up to drive D.

Zip drive or other removable media?Zip drive or other removable media?– unfortunately, the Windows Backup utility can't save files unfortunately, the Windows Backup utility can't save files

directly to a CD-RW drive (!)directly to a CD-RW drive (!)

Shared network drive? Limited only by the amount of Shared network drive? Limited only by the amount of free space on the network sharefree space on the network share

External hard disk drive?External hard disk drive? USB? IEEE 1394 (ie LAN)? FireWire? Cloud?USB? IEEE 1394 (ie LAN)? FireWire? Cloud?

Prioritising Server Backup?Prioritising Server Backup?

Servers typically hold a lot of dataServers typically hold a lot of data Generally accepted that “system state” Generally accepted that “system state”

files are those that are most important files are those that are most important for keeping the NOS functioning for keeping the NOS functioning normallynormally– need to be backed up on a regular basisneed to be backed up on a regular basis

System stateSystem state Windows “essential files” for boot up:Windows “essential files” for boot up:

– Active Directory (NTDS)Active Directory (NTDS)– System Volume (SYSVOL)System Volume (SYSVOL)– Boot filesBoot files– RegistryRegistry– COM+ class registration databaseCOM+ class registration database

Windows “backup” program enables Windows “backup” program enables system state files to be saved to system state files to be saved to another locationanother location– they can be copied back via cmd line in they can be copied back via cmd line in

event of a crash that won’t rebootevent of a crash that won’t reboot