Talking about the startup principle of win2003 and win2008 and the fault resolution of dual startup

Recently, students often ask about the startup issues of Win2008 and the startup problems when the early Windows version coexists with vista or win2008. Now it can be said that it is in the filtering period of the old and new versions of the operating system. The more I come, so I wrote this article to talk about the startup principle of the new operating system and how to solve the failure of the old and new operating systems.

we first look at the boot process WinXP /2003, the start of this process is actually quite complex, here I drew a sketch:

Of course, this diagram does not describe the details involved in the entire startup process, but the main part is already there, we will not describe it in detail here, for example: system After the self-test is successful, the first 446 bytes of the boot information in the MBR are read. These are not the key points we discussed today. We only talk about the more important points: The most important step is NTLDR: This program is located in the C root directory shown in FIG:

NTLDR: full name NTOS Loader, the operating system loads program. Its main function is to parse the Boot.ini file. By reading the Boot.ini file, the system will select the menu during the startup process, and the user selects the operating system that he wants to start. In addition to NTLDR we can see that there is a boot.ini file in the root directory of the C drive, this file is also a very weighty guy in xp/2003!

BOOT.INI: Short for boot menu file, this file stores the configuration information of our current machine operation, installed several operating systems? Which partition is it located in? What is the selection prompt for the user? What is the default selection time? and many more.

In addition to reading the startup configuration information in the BOOT.INI file, NTLDR will load and execute the NTDETECT.COM file in the root directory of the C drive to collect hardware information of the system. The NTDETECT.COM file will call the BIOS. The contents of the content are returned to NTLDR for use by the operating system and saved to the registry. If there is no problem with the above operation, we will reproduce the progress bar we are familiar with! Next is to load Windows kernel file: NTOS, full name: NTOSKRNL.EXE files, and it depends on the template file, as shown:

The next step is to hand over the execution of the program to NTOSKRNL.EXE. The following work is handled by NTOSKRNL.EXE! The NTOSKRNL.EXE program will call the function of a system, which is the most complicated place in the whole startup process, and the most prone to problems. If there is no problem in this part, the first process of the system will be generated: SMSS< Br>

SMSS: Session Management Subsystem Session Manager SubSystem This is the first user state process. It will perform some operations defined in some table keys in the registry: such as bootexecute, pendingfilerenameoperations, paging file, etc. will create the CSRSS system server process and Winlogon login process.

CSRSS: Client/Server Runtime Server Subsystem role: The client service subsystem, which controls the Windows graphics-related subsystem, is part of the user-mode Win32 subsystem. Csrss represents the client/server running subsystem and is a basic subsystem that must be running all the time. Csrss is used to maintain control of Windows.

Winlogon: Windows login process, the main role is to start the LSASS process (Local Security Authority Subsystem Service); if it is XP will also start the Logonui process, if it is Win2003 will not generate logonui; a login prompt box, prompt The user enters the username and password, and then passes the information to LSASS for verification. If it passes, an access token is created. Finally, the userinit program executes the user login and initialization script. At this point, after the desktop appears, our startup work is completed. . However, when winlogon authenticates the user, it also starts the services related services.

The process of Winlogon is still very complicated, because the middle of the user involved in the authentication and authorization issues, here is still a simple point of view, the way we log into the system is mainly interactive login, system login, network Login, service login, and batch login. The most used are interactive login, system login, network login and service service. Of course, the most familiar user is interactive login, that is, people sitting in front of the computer and directly face-to-face with your love machine. ! Then let's talk about the process of interactive login:

First of all, Winlogon appears as the login process first, preparing a user login environment. Then start loading a DLL file: MSGINA.DLL, this file appears on the screen is a "Ctrl+Alt+Del" interface, prompting the user to enter the username and password, and then pass the received information to the next process: The LSASS process authenticates the user's identity. Of course, there are many problems here: the authentication of the workgroup user, the authentication of the single domain user, the authentication of different domain users, etc., but in either case, the LSASS process must be performed. Responsible for certification. It will involve a service: Netlogon, this service is mainly to verify the login and authentication of NTLM. If the domain environment will help the client update the host's DNS records and locate the domain controller, this is why we restarted the netlogon service when the contact domain controller is unsuccessful! We leave the old operating system aside, then the authentication protocol generally used by the working group environment is: NTLM protocol, if the authentication protocol used by the domain environment is: Kerberos V5 protocol.

NTLM: The challenge/response mode is used. The process is as follows: First, the client sends a connection request requesting the other party to authenticate his identity. But did not pass the specific password. The server will randomly send an 8-byte challenge message, such as 1234567812345678, and then associate this challenge with the current session. After receiving the challenge information, the client performs the following work: a. Obtain a 16-byte password hash value after md4 hashing according to its own plaintext password; b. Then use the hash value just obtained to prepare the server name to be logged in. Or the domain name and other information is again md5 encrypted to obtain the second hash hash value; c. Then use the second hash value to re-encrypt the 8 bytes of challenge information to md5 again, and get a 16 byte. The hash value; d. Finally, this value is passed to the server as a response. Finally, what do you do on the server side to know if you are a legitimate user? Because the server has your password plaintext, use your password to do the same thing in plaintext. If the results match, the other party is considered a legitimate user! Kerberos V5 mainly authenticates the user's identity and issues a ticket for the user to access the network service, which is suitable for an open environment such as a domain. The certification process is a very complicated process, and I can only talk about it briefly.