IBM PC-AT‎ > ‎Windows‎ > ‎Boot Process (detailed)‎ > ‎

Phase 6 - Winload & System Registry

At this point an operating system has been selected; the computer knows where Windows is installed.  Windows Vista and later (those using BOOTMGR) will try to load the file WINLOAD.EXE;  you will get a nice error if this can't be found according to the PATH setting in the BCD file.  Older versions (those using NTLDR) don't try to load an executible now.  Technical note: WINLOAD is a protected mode program; it does not have/need a "real mode stub" because BOOTMGR has already switched the CPU out of 16-bit "real" mode. From now on, files are loaded from the "system path" as specified by BOOT.INI or BCD hive (this may be different than the Winload path).
Either way, the first thing it loads is the kernal which is typically NTOSKRNL.EXE (another file may be specified by BOOT.INI / BCD hive).  It is not started yet, however.
The next step is to load HAL.DLL which is the hardware abstraction layer.  You may have to re-install Windows or copy the "right" HAL.DLL file from the source disks if you change the motherboard in your PC.  You will almost certainly get the Blue Screen of Death (BSOD) if the "wrong" HAL is loaded (I sure have).  Of course the BSOD may occur if the right HAL.DLL file is corrupt.  You will get an error if it is missing.
The next (critical) thing is to load the SYSTEM registry.  It looks for the file %Windows%\System32\config\system, where %Windows% is whatever was specified in the selected BOOT.INI / BCD entry.  This is a registry hive.  You'll get a nice error message if this can't be loaded.  If it is corrupt, you may get an error message, but the machine may lock-up, reboot, or give you the BSOD.
This registry hive (SYSTEM) contains machine-global (not user-specific) settings.  In particular it contains a list of device drivers needed to boot the kernel (see Phase 7).  It also contains the names assigned to each partition, under the key "MountedDevices" with values named "\DosDevice\C:", "\DosDevice\D:", etc.  Normally when Windows setup is run, the traditional "drive C" is assigned to the partition that Windows is installed in.  However it is possible (but difficult) to change this; the "active" partition (where Windows is installed) could be named something else, like drive K.  (And I have multiple systems to prove it.)  The important thing is that this registry key determines how this operting system will refer to itself (and other partitions).
Once the hive is loaded, an options menu (a different menu from Phase 5) may be displayed.  It is generally only shown if an improper shutdown was detected, or if the user pressed F8 while the computer was booting or during the "OS Selection" of Phase 5.  This menu gives the (unfortunately) familiar choices like: SAFE MODE, LAST KNOWN GOOD, START NORMALLY, etc.  If the user chooses any of the varieties of SAFE MODE, then the "kernel string" will be modified accordingly (you can force this with an appropriate BOOT.INI / BCD entry setting).  If "LAST KNOWN GOOD" is selected, the "control set" (a huge key in the system registry hive) is selected based on the value in the registry key "LastKnownGoodRecovery".  If this menu is not displayed (typical) or the user selects START NORMALLY then the "control set" is selected based on the value in the registry key "Select".
With the "control set" determined, the computer proceeds to Phase 7.

© H2Obsession, 2014