IBM PC-AT‎ > ‎Windows‎ > ‎Boot Process (detailed)‎ > ‎

Phase 9: CSRSS & Software Hive

At this point the Client-Server Runtime Sub-System is starting, and this allows the session control manager to start creating "desktops" or "Winstations" as Microsoft likes to call them.  They are just virtual terminals.  Assuming auto-login is not enabled you will see the first "Winstation" (which I like to think of as the system desktop) and you will be asked to select a user account and/or enter a password.  If auto-login is enabled, or you manually login, then a second "Winstation" (i.e., your personal desktop) is created.  But that is getting ahead of ourselves!
 
So to review, NTOSKRNL has started the (dummy) IDLE process and SYSTEM process.  The SYSTEM process has started SMSS.  SMSS has started LSASS.EXE and SERVICES.EXE and finally CSRSS.EXE.  Meanwhile LSASS has started WINLOGON.EXE.  All of these load auxillary files (mainly DLLs), so they tend to block each other as they wait for modules to load.  Very difficult to figure out the exact order with a kernel debugger!
 
Anyway, the SERVICES executive should load the event logger so at least you should be able to examine the error logs if something goes wrong in this phase.  Just in case it fails to report, here are suspect files that may be causing failures at this stage (approximately in the order they are loaded):
  • okley.dll (manages encryption keys for ipsecsvc.dll)
  • sxs.dll (manages Side-by-Side DLLs)
  • USER32.dll (User API)
  • SHDOCVW.dll (Shell Document/View library)
  • wdigest.dll (LDAP Digest Authentication)
  • SCESRV.dll (Security Configuration Editor Server; loaded by SERVICES.EXE; interfaces with scecli.dll)
  • umpnpmgr.dll (User-Mode Plug-and-Play Manager)
  • WZCSvc.DLL (Wireless Zero Configuration Service)
  • query.dll (Content Index Utility)
  • DHCPCSVC.DLL (Dynamic Host Control Protocol Client Service)
  • msi.dll (Microsoft Installer)
  • SHELL32.dll (Windows Shell common library)
  • ntdll.dll (NT Layer API)
  • kernel.dll (Windows Base API)
  • MSVCR100.dll (Microsoft C Runtime library)
  • msxml5.dll (Microsoft eXtensible Markup Language 5)
  • urlmon.dll (OLE extensions; provides system Monikers with asynchronous binding to URLs)
  • MSVCP100.dll (Microsoft C++ Runtime library)
  • Secur32.dll (Security Support API; exports many LSA functions; facilitates NTLM, Schannel [SSL/TLS], and Kerberos)
  • SHLWAPI.dll (Shell Light-Weight API)
  • GDI32.dll (Graphical Device Interface API)
  • RPCRT4.dll (Remote Procredure Call runtime)
  • ADVAPI32.dll (Windows 32-bit Base API)
  • netman.dll (Network connections Manger)
  • ACTIVEDS.dll (ADs Router Layer)
  • msv1_0.dll (Microsoft authentication v1.0)
  • msvcrt.dll (Microsoft Windows NT C Runtime)
  • VERSION.dll (Version checking and installation API)
  • MSACM.dll (Microsoft Audio Compression Manager)
  • midimap.dll (Musical Instrument Device Interface Mapper)
  • eventlog.dll (Event Logging service)
  • Apphelp.dll (Application Compatibility Client Library)
  • MSASN1.dll (ASN.1 Runtime ?)
  • CRYPT32.dll (Crytography API)
  • cscui.dll (Client-Side Caching UI)
  • setupapi.dll (Windows Setup API)
  • AUTHZ.dll (Authorization framework)
  • NTMARTA.dll (Windows MARTA provider ?)
  • ole32.dll (Object Linking and Embedding, 32-bit API)
  • COMCTL32.dll (Windows' Common Controls API)
  • OLEAUT32.dll (Object Linking and Embedding container ?)
  • COMres.dll (Component Object Model services)
  • CLBCATQ.dll (COM database ?)
  • rasadhlp.dll (modem auto-dialer)
  • WLDAP32.dll (Windows LDAP API)
  • WTSAPI.dll (Windows Terminal Server API)
  • DNSAPI.dll (Domain Name Service client API)
  • RASAPI32.dll (modem services API)
  • TAPI32.dll (Telephony API)
  • rasman.dll (modem connection API)
  • rtutils.dll (Routing utlities)
  • adsldpc.dll (ADs LDAP Provider C)
  • iphlpapi.dll (Internet Protocol Helper API)
  • MPRAPI.dll (MP Router API)
  • WMI.dll (Windows Managed Installation API)
  • IMAGEHLP.dll (Windows Image Helper)
  • WINTRUST.dll (Windows Trust Verification API)
  • credui.dll (Credentials User Interface)
  • PSAPI.DLL (Process Status API)
  • WINMM.dll (Windows Multi-Media API)
  • ATL.DLL (Active Template Library)
  • USERENV.dll (User Environment ?)
  • ntshrui.dll (NTFS Sharing UI)
  • LINKINFO.dll (Volume Tracking)
  • schannel.dll (TLS / SSL provider)
  • w32time.dll (Windows Time service)
  • NTDSAPI.dll (NT5DS ?)
  • cryptdll.dll (Cryptography manager)
  • CSCDLL.dll (Offline Network Agent ?)
  • netshell.dll (Network Connections Shell)
  • comdlg32.dll (Common Dialogs library)
  • IMM32.dll (?)
  • MSIMSG.dll (GDI Extension ?)
  • WINSTA.dll (Winstation library)
  • stobject.dll (Systray shell service object)
  • MSVCP60.dll (Microsoft C++ runtime library)
  • BROWSEUI.dll (Shell Browser UI)
  • davclnt.dll (Web DAV Client API)
  • drprov.dll (Terminal Services network provider)
  • MLANG.dll (Multi-Language support library)
  • winsrv.dll (Windows Server API)
  • basesrv.dll (Windows NT Base Server library)
  • CSRSRV.dll (Client Server Runtime API)
  • MSGINA.dll (NT Logon GINA ?)
  • LSASRV.dll (Local Security Accounts Server)
  • msctfime.dll (Microsoft Text Framework IME)
  • CRYPTUI.dll (Microsoft Trust UI)
  • BatMeter.dll (Battery Meter helper)
  • CFGMGR32.dll (Configuration Manager forwarder)
  • POWRPROF.dll (Power Profile helper)
  • MSCTF.dll (Microsoft CTF Server ?)
  • eappcfg.dll (EAP Peer Configuration ?)
  • netlogon.dll (Netlogon Services)
  • SAMSRV.dll (Security Accounts Manager Server)
  • scecli.dll (Security Configuration Editor Client)
  • ipsecsvc.dll (IP Security SPD server)
  • psbase.dll (Protected Storage default provider)
  • pstorsvc.dll (Protected Storage server)
  • WINIPSEC.DLL (Windows' IP Security SPD client API)
  • ODBC32.DLL (Open Database Connection driver manager)
  • sti.dll (Still Image device client library)
  • dot3dlg.dll (802.3 UI)
  • WZCSAPI.DLL (Wireless Zero Configuration Service API)
  • wdmaud.drv (WDM Audio driver mapper)
  • msacm32.drv (Microsoft Audio Compression Manager mapper)
  • WinSCard.dll (Windows Smart Card API)
  • actxprxy.dll (ActiveX interface proxy)
  • kerberos.dll (Kerberos Security API)
  • NETUI0.dll (LanMan GUI Classes)
  • NETUI1.dll (LanMan Netwroking Classes)
  • NETRAP.dll (LanMan Remote Administration Protocol)
  • ntlanman.dll (NT LAN Manager)
  • SAMLIB.dll (Security Accounts Manager Library)
  • NETMSG.DLL (LanMan Messages)
  • MPR.dll (Multiple Provider Router)
  • WS2_32.dll (Windows' Socket 2.0 32-bit API)
  • WS2HELP.dll (Windows' NT Socket 2.0 Helper)
  • wshtcpip.dll (Windows Socket Helper for TCP/IP)
  • mswsock.dll (Microsoft Windows' Socket 2.0 provider)
  • browselc.dll (Shell Browser library)
  • AcGenral.dll (Windows Compatibility ?)
  • DUSER.dll (Windows' Direct User engine ?)
  • dssenh.dll (DSS Enhanced Cryptography)
  • rsaenh.dll (RSA Enhanced Cryptography)
  • hnetcfg.dll (Home Networking Configuration manager)
  • tquery.dll (???)
  • NCObjAPI.DLL (???)
  • MSUTB.dll (???)
  • OneX.DLL (IEEE 802.1x library)
  • ShimEng.dll (Shim Engine ?)
  • themeui.dll (Windows Theme UI)
  • NETAPI32.dll (Network API)
  • UxTheme.dll (User Theme ?)
  • wiashext.dll (Windows Imaging Shell Folder UI)
  • gdiplus.dll (GDI Plus)
  • WINHTTP.dll (Windows HTTP services)
  • msprivs.dll (Microsoft Privilege Translation)
  • dot3api.dll (802.3 Autoconfiguration API)
  • AcAdProc.dll (Windows' Compatibility ?)
  • WININET.dll (Internet extensions for Win32)
  • xpsp2res.dll (Service Pack 2 Messages)
  • PROPSYS.dll (Microsoft Property System ?)
  • Normaliz.dll (Unicode normalization library)
  •  
Well now that is quite a list!  A few things listed above might not actually load until you log-on, and of course your system may have more or fewer files loaded (probably more if you use Windows Vista or newer).  Also there may be multiple occurances of some files, due to version differences (like comctl32.dll and msvcrt.dll).  Oh yeah, some of the names are capitalized, some are lower case, and a few are ALL CAPS.  Don't blame me -- I'm just reporting them, I don't name them :)

© H2Obsession, 2014
Comments