How does the boot work

Windows Boot in a nutshell - the Windows startup process simply explained

Before you can log in as a user at the Windows login, the computer goes through the boot process after it has been switched on. It is this multi-stage process that turns the amalgam made of plastic, silicon and metal into the versatile and powerful computer. If something goes wrong in any of the steps, the PC remains a bunch of plastic, silicon and metal without function. Since there is no graphical user interface, troubleshooting is extremely difficult. For this reason, it makes sense to take a closer look at the startup process. Knowing where things can go wrong also makes troubleshooting a lot easier.

Booting or "the transformation of the paperweight"

A computer without a loaded operating system is nothing more than a bulky, oversized paperweight. It cannot be used productively. The process that elicits its potential from the paperweight is called the start-up process or boot process. Translated into the world of mechanics: The boot process is for a computer what starting is for a car.

The start-up process is not a monolithic act. Booting, as the computer starts up, is a multi-stage, sequential process in which a computer acquires its capabilities by repeatedly loading and executing software. He gets to know his components, he acquires the ability to address them and he learns where to look for software that extends him with additional functions. Because just as a person must first master the basic arithmetic in order to understand the percentage calculation, the computer must also gradually acquire its skills.

In the early years of the computer it was actually different. At that time, many functions were mapped in hardware that are now performed by software. Just one example to make this clear: The video game Pong from 1972 consisted entirely of analog and digital circuits without a microprocessor or software. When you switched on the device, the game was immediately available. There was no boot process as we know it today with PCs and cell phones. The much lower flexibility of the coding of functions in hardware is the reason for the triumphant advance of software coding in the following years.

The term “boot” is derived from the English word bootstrap. Bootstrap loaders are the programs that give a computer its basic information and capabilities when it starts up. The English expression "to pull oneself up by one's bootstraps", which in German can be best translated as "pull yourself out of the swamp by your own head", draws attention to the fact that computers are loaded and executed sequentially by software start, but this process has to be started by a different mechanism.

The central elements of the boot process are the firmware - the BIOS for older computer architectures, the UEFI for newer ones - the master boot record (MBR) or the GUID partition table (GPT) and the kernel. Most English terms have no German equivalents. And even if there are translations, they are rarely used. Therefore, we use the English terms consistently in this article.

The figure shows these elements in a structured form for two different systems: The left side shows them for a single boot system, i.e. for a computer with a single operating system. In the picture this is Windows. When the computer starts, the computer automatically boots this operating system. A dual boot system is shown on the right, i.e. a computer with two bootable operating systems. After switching on, the user has the choice of starting one or the other operating system. Datamate's Buddy is such a dual-boot system. Windows 10 and Ubuntu Linux are installed on it and both are equally functional.

Boot process - step-by-step

The details of the boot process are different for MacOS than for Linux, for Android different than for iOS and there are also differences in the start process for old and new Windows versions. Windows Vista introduced significant changes to the Windows boot process to make Windows startup faster, more flexible and more reliable.

The basics of the boot process are the same across all systems: First, during booting, the computer learns how to communicate with its various components such as hard drives and keyboard. Then he learns about the existence of partitions and learns about the importance of file systems. At the end of the boot process, it loads the operating system kernel as well as drivers and programs. The exact sequence, the role of the individual stages and the skills "learned" are shown below for a computer with an MBR-formatted storage medium and activated Compatability Support Module (CSM). (In the case of a GPT-formatted data carrier, the boot process differs from the process shown here.)

The following explanations apply to the somewhat outdated Windows 7 as well as to the current Windows 10. Since the changes that were made to the startup process with Windows Vista, the boot process of the Windows operating system has been stable. The steps and the programs involved have remained unchanged since then.

Step 1: Calling the BIOS

The Basic Input Output System (BIOS) is the computer code that is located in a non-volatile memory on the mainboard of the computer and is executed immediately after the computer is started. Because of its location, the BIOS is also known as firmware. The suitcase word firmware is made up of the English term firm (German: stable or unchangeable) and software.

In early PCs, the BIOS was stored on read-only memory (ROM) chips. The data stored on such chips can no longer be changed after production (e.g. mask ROM) or only with great technical effort (e.g. EEPROMs). Today the firmware is mostly on flash memories. They offer the advantage over traditional hard drives that they can be written to without being removed from the computer. In this way, additional functions can be retrofitted or bugs (i.e. errors in the program code) can be eliminated.

Generally speaking, the firmware makes the computer ready for operation and then transfers control of the hardware to a program that is loaded from a bootable data carrier. The BIOS must be informed of which data carrier this is in the case of several mounted data carriers. Not every drive is bootable. Old BIOS versions e.g. B. could not, for example, address USB data carriers and thus also not boot from them.

In a little more detail, the BIOS performs the following tasks:

  • Query of the BIOS password (if set)
  • Test of the hardware (so-called Power-On Self-Test, POST for short)
  • Hardware initialization
  • Calling up the BIOS of other components (e.g. graphics card, RAID controller)
  • Determination of the boot drive
  • Checking the boot sector signature
  • Loading and executing the MBR of the boot drive

By calling up the BIOS and transferring it to the bootloader in the MBR, the computer has acquired a basic knowledge of itself. So he has z. B. learned how much RAM he has and how he can address his hard drives. It is not yet a flexible work tool. But it lays the foundation for more. And: The boot process is not yet complete.

Step 2: Executing the Master Boot Record (MBR)

Storage media are divided into so-called blocks or sectors. This applies to classic hard drives as well as to modern solid state drives. The addresses of the blocks can be used to locate data on the hard drive and the computer can access them. The Master Boot Record (MBR) is a special sector. It is the first sector on a data carrier and therefore quite easy to locate. It exists on both large and small storage media. (Linguistically, the MBR as a sector on a data carrier is often equated with the code it contains, even if this is not entirely correct.)

The MBR (i.e. the machine code in it) has a double function: on the one hand, it is a boot loader and, on the other hand, it is a partition table. As a boot loader, it brings the necessary program code in machine language with it to carry out the next start-up phase. The partition table contains the information about the partitions created on the data carrier, such as: B. start block, end block, file system and others. It is the partition information that ensures that several drives with different file systems can exist on a hard disk. Another important piece of information in the partition table is the boot status. An active partition is one to be booted from.

Like any other sector on a hard drive, the MBR is usually only 512 bytes in size (i.e. 512 x 8 bits, i.e. a 0 or a 1). So even if the MBR were full of executable machine code, it would only contain a very manageable set of instructions to the computer. In fact, the 440 bytes of memory available for the bootloader is significantly less than the size of the sector. The main reason for this is the 64 bytes that the partition table takes up. According to the scope of the machine code, the functional scope of the MBR is also quite manageable: Evaluate the partition table, find the first active partition and then load and execute the volume boot record of the active partition.

The function of the MBR is completely independent of the operating system. The further explanations are based on a Windows operating system, but a Linux system can also be started with an MBR.

Each partition entry in the partition table is 16 bytes long. The 64-byte partition table of the MBR can store the information from a total of four primary or three primary and one extended partition. The extended partition can be used to create additional logical partitions. The associated restrictions were an important reason for its replacement since 2010 - especially in Windows systems. The GPT partition scheme allows significantly more partitions.

Step 3: Executing the Volume Boot Record (VBR)

The Volume Boot Record (VBR) is to a partition what the master boot record is to the disk: the first sector in a partition. Like any other sector, it is only 512 bytes in size when formatted normally.

The Windows bootloader is located in the VBR of the active Windows partition. By executing its code, the computer “learns” how to use a file system. In a more practical way, it means that it learns what file names and directories are and how they can be found on the partition. Up to this point in time the computer did not know any file names but only sector addresses as they are also used in the partition table.

Equipped with this new capability, the Windows bootloader then searches for the bootmgr file (no file extension) in the root directory (i.e. the top directory) of the active partition and executes this file. This file contains machine code that can be processed directly by the processor.

Step 4: Start the Windows Boot Manager BOOTMGR

The Windows Boot Manager is a program that makes it possible to steer the boot process in one direction or the other. If several operating systems are installed on one computer, the desired operating system can be selected via the boot manager. The operating systems can either be in different partitions or on different data carriers.

Until Windows XP the Windows Boot Manager was called NTLDR. With Windows Vista, the boot manager was massively rebuilt and now operates under the name BOOTMGR. The BOOTMGR is also in every Windows 10 system.

One of the biggest differences between NTLDR and the BOOTMGR is the way the configuration information is stored. NTLDR used a simple text file called boot.ini. The new Windows boot manager saves this information in a database that has the same structure as the Windows registry database (a so-called hive). The location of this database is in the directory \ BOOT \ BCD on the active partition.

If BOOTMGR is executed by the Windows boot loader in the VBR, the boot manager loads the database and displays the boot options on the screen. If there is only one boot option, then the boot manager is usually set so that it does not even show the selection and automatically starts the only available Windows operating system. Therefore, most users do not even notice BOOTMGR. If a current Windows operating system is selected in the boot manager, the winload.exe file is loaded and executed in the% WINDIR% \ System32 directory of the selected operating system's partition.

In our experience, this stage of the boot process is the most delicate: On the one hand, it happens time and again that users delete the bootmgr file and the associated database. The information in the BCD database may also be incorrect or the entire database may be corrupt. Another stumbling block is the comparison of the data carrier signature of the BOOTMGR. The Windows boot manager compares the data carrier signature in the MBR with the signature stored in the BCD. In the event of a mismatch, BOOTMGR refuses to start with the error message “winload error”.

Step 5: Load the Windows loader winload.exe

Like other EXE files, winload.exe is a file that contains machine code that can be executed by the microprocessor. It contains the instructions that device drivers are loaded for the various components of the system. This is the prerequisite for the Windows operating system, with its uniform code base, to be able to run on different hardware (hardware abstraction layer). Once the drivers for the components are loaded, winload.exe can also load the hardware-independent kernel and the registration database. Control of the system is then passed to the kernel.

Step 6: System control by the kernel and completion of the boot process

With the transfer of control to the kernel, the configuration-independent part of the start-up process is completed. The operating system has started and is running.

However, the start-up process is not yet completely finished. Other programs that are still loaded are, above all, the numerous Windows services that run in the background and without a visible program window, as well as the programs that are in Windows' autostart. Services as well as autostarted programs can be configured via the system configuration or the task manager.

If you want to know more precisely which programs, services, drivers, add-ins and other components are loaded and executed by the kernel, you can satisfy your curiosity with the AutoRuns program from Sysinternals, a subsidiary of Microsoft. Autoruns analyzes the system and lists all elements that are automatically started by the operating system.

Basically, the less programs and code have to be executed, the faster the Windows logon mask appears, after which you can use the computer for surfing, writing e-mails, playing computer games and much more. However, you should be very careful when mucking out the car. One element too many in the autostart slows down the boot process only insignificantly, but an autostarted program too little can lead to unwanted system behavior.

UEFI boot like MBR boot process

A computer learns its capabilities step-by-step when it boots. The boot process is complicated by the fact that, on the one hand, old conventions have to be retained for reasons of compatibility (e.g. start program in the first sector) and, on the other hand, flexibility requirements (e.g. different data carrier configurations) have to be mapped. The generation change in the firmware has led to changes, but has not eliminated the structure of the boot process as a step-by-step process. A start program is also started on UEFI computers, which then transfers control to an operating system-specific boot loader.

The boot process can get out of step in every step. Targeted troubleshooting requires a basic understanding of the process. The aim of this article is to help solve problems by illustrating the basic mechanics.

glossary

Machine language: the form of program code that can be directly executed by a computer's processor, i.e. a sequence of bits that the computer can understand. Which bit sequences and their structure are understandable for a processor is defined in the form of an instruction set for each processor type.

Partition: a logical volume, i.e. a separate area on a storage medium with its own file system, so that it looks to the operating system as if it is a separate volume.

written by

Ralf Dyllick-Brenzinger