Diagnosing and correcting hardware and software problems that affect the startup process is an important troubleshooting skill. Resolving startup issues requires a clear understanding of the startup process and core operating system components.

For information on how to obtain the Windows XP Professional Resource Kit in its entirety, please see http://www.microsoft.com/mspress/books/6795.asp.

On This Page

Related Information
Understanding the Startup Process
Recovering from Hardware-Related Problems
Additional Resources

Related Information

• For more information about troubleshooting concepts, see Chapter 27, “Understanding Troubleshooting.”

• For more information about enabling, disabling, and managing devices, see Chapter 9, “Managing Devices.”

• For more information about troubleshooting disk or file system problems, see Chapter 28, “Troubleshooting Disks and File Systems” and Chapter 12, “Organizing Disks.”

• For more information about Microsoft Windows XP Professional troubleshooting tools, see Appendix C, “Tools for Troubleshooting.”

Understanding the Startup Process

To diagnose and correct a startup problem, you need to understand what occurs during startup. The first step in isolating startup problems is for you to determine whether the problem occurs before, during, or after Microsoft Windows XP Professional starts up.

The root cause of startup failure, including contributing factors, can stem from a variety of problems, such as user error, application faults, hardware failures, or virus activity. If the condition is serious enough, you might need to reinstall Windows XP Professional or restore files from backup media.

In x86-based systems, startup failures that occur before the operating system loader (Ntldr) starts could indicate missing or deleted files, or it could indicate damage to the hard disk master boot record (MBR), partition table, or boot sector. If a problem occurs during startup, the system might have incompatible software or drivers, incompatible or improperly configured hardware, or corrupted system files.

The startup process for x64-based computers is the same as that of x86-based computers.

Startup Phases

The Windows XP Professional startup process closely resembles that of Microsoft Windows NT version 4.0, Microsoft Windows 2000, and Microsoft Windows Server™ 2003, but it significantly differs from Microsoft MS-DOS, Microsoft Windows 95, Microsoft Windows 98, and Microsoft Windows Millennium Edition (Windows Me).

All computers running Windows XP Professional share the same startup sequence:

• Power-on self test (POST) phase

• Initial startup phase

• Boot loader phase

• Detect and configure hardware phase

• Kernel loading phase

• Logon phase

The preceding startup sequence applies to systems started or restarted after a normal shutdown, and it does not apply when you bring your computer out of hibernation or standby. See “Resolving Power Management Problems” later in this chapter for more information about problems that might occur when you bring your computer out of standby or hibernation.

For Windows XP Professional to start, the system and boot partitions must contain the files listed in Table 29-1.

Table 29-1 Windows XP Professional Startup Files

File Name	Disk Location	Description
Ntldr	Root of the system partition	The operating system loader.
Boot.ini	Root of the system partition	A file that specifies the paths to Windows XP Professional installations. For multiple-boot systems, Boot.ini contains the operating system choices that display on the startup menu.
Bootsect.dos (multiple-boot systems only)	Root of the system partition	A hidden system file that Ntldr loads for a Windows XP Professional multiple-boot configuration that includes MS-DOS, Windows 95, Windows 98, or Windows Me. Bootsect.dos contains the boot sector for these operating systems.
Ntdetect.com	Root of the system partition	The file that passes information about the hardware configuration to Ntldr.
Ntbootdd.sys	Root of the system partition (required for SCSI or Advanced Technology Attachment [ATA]controllers with firmware disabled or that do not support extended INT-13 calls).	The device driver used to access devices attached to a SCSI or ATA hard disk whose adapter is not using BIOS. The contents of this file depend on the startup controller used.
Ntoskrnl.exe	systemroot\System32	The core (also called the kernel) of the Windows XP Professional operating system. Code that runs as part of the kernel does so in privileged processor mode and has direct access to system data and hardware. During installation on single processor systems, Windows XP Professional Setup copies Ntoskrnl.exe from the operating system CD. During installation on multiprocessor systems, Windows XP Professional Setup copies Ntoskrnlmp.exe and renames it Ntoskrnl.exe.
Hal.dll	systemroot\System32	The hardware abstraction layer (HAL) dynamic-link library file. The HAL abstracts low-level hardware details from the operating system and provides a common programming interface to devices of the same type (such as video adapters). The Microsoft Windows XP Professional operating system CD contains several Hal files. Setup copies to your computer the file that fits your hardware configuration and then renames the file as Hal.dll.
System registry file	systemroot\System32 \Config\System	The registry file that contains the data used to create the registry key HKEY_LOCAL_ MACHINE\SYSTEM. This key contains information that the operating system requires to start devices and system services.
Device drivers	systemroot\System32 \Drivers	Driver files for hardware devices, such as keyboard, mouse, and video.

Note Windows NT 4.0, Windows 2000, Windows Server 2003, and Windows XP Professional define the “system” and “boot” partitions differently from other operating systems. The system volume contains files that are needed to start Windows XP Professional, such as the Windows loader (Ntldr). The boot volume contains Windows XP Professional operating system files and folders such as systemroot and systemroot\System32. The boot volume can be, but does not have to be, the same volume as the system volume.

In Table 29-1, the term systemroot is one of many environment variables used to associate string values, such as folder or file paths, to variables that Windows XP Professional applications and services use. For example, by using environment variables, scripts can run without modification on computers that have different configurations. To obtain a list of environment variables useful for troubleshooting, type set at the command line.

For more information about environment variables, see “To add or change the values of environment variables” in Windows XP Professional Help and Support Center. For more information about system files, see Appendix A, “System Files Reference.”

Power-On Self Test

As soon as you turn on a computer, its central processing unit (CPU) begins to carry out the programming instructions contained in the basic input/output system (BIOS). The BIOS, which is a type of firmware, contains the processor-dependent code that starts the computer regardless of the operating system installed. The first set of startup instructions is the power-on self test (POST). The POST is responsible for the following system and diagnostic functions:

• Performs initial hardware checks, such as determining the amount of memory present

• Verifies that the devices needed to start an operating system, such as a hard disk, are present

• Retrieves system configuration settings from nonvolatile complementary metal-oxide semiconductor (CMOS) memory, which is located on the motherboard

  The contents of CMOS memory remain even after you shut down the computer. Examples of hardware settings stored in CMOS memory include boot order and Plug and Play information.

After the motherboard POST completes, add-on adapters that have their own firmware (for example, video and hard drive controllers) carry out internal diagnostic tests.

To access and change system and peripheral firmware settings, consult the system documentation provided by the manufacturer.

Initial Startup Phase

After the POST, the settings that are stored in CMOS memory, such as boot order, determine the devices that the computer can use to start an operating system. For example, if the boot order specifies the floppy disk as the first startup device and the hard disk as second (some firmware displays this order as “A, C”), the following scenarios might occur at startup:

The floppy disk drive contains a floppy disk

The BIOS searches the floppy disk drive for a bootable floppy disk. If one is present, the first sector (the floppy disk boot sector) loads into memory. If the floppy disk is not bootable, an error message similar to the following appears:

Non-system disk or disk error 
Replace and press any key when ready

The computer displays the preceding message until you insert a bootable floppy disk or until you remove the floppy disk and restart the computer.

The floppy disk drive does not contain a floppy disk

If you restart the computer without a floppy disk, the computer reads the boot code instructions located on the master boot record (MBR). The MBR is the first sector of data on the startup hard disk and contains instructions (called boot code) and a table (called a partition table) that identify primary and extended partitions. The BIOS reads the MBR into memory and transfers control to the code in the MBR.

The computer then searches the partition table for the active partition. The first sector of the active partition contains boot code that enables the computer to do the following:

• Determine the file system used.

• Locate and start the operating system loader file, Ntldr.

If an active partition does not exist or if boot sector information is missing or corrupt, a message similar to any of the following might appear:

Invalid partition table 
Error loading operating system 
Missing operating system 
BOOT: Couldn’t find NTLDR 
NTLDR is missing

If an active partition is successfully located, the code in the boot sector locates and starts Ntldr and the BIOS releases control to it.

For more information about disks and file systems—including information about the MBR, partitions, and boot sectors—see Chapter 13, “Working with File Systems,” and Chapter 28, “Troubleshooting Disks and File Systems.”

The boot order specifies another startup device

In addition to floppy disks or hard disks attached to SCSI and ATA controllers, some computer firmware can start an operating system from other devices, such as:

• CD-ROMs

• Network adapters

• Removable disks, such as Iomega Zip disks

• Secondary storage devices installed in docking stations for portable computers

It is possible to specify a custom boot order, such as “CDROM, A, C”. When you specify “CDROM, A, C” as a boot order, the following events occur at startup:

• The computer searches the CD-ROM for bootable media.

  If a bootable CD is present, the computer uses the CD-ROM as the startup device. Otherwise, the computer searches the next device in the boot order.

• The computer searches the floppy disk for bootable media.

  If a bootable floppy is present, the computer uses the floppy disk as the startup device. Otherwise, the computer searches the next device in the boot order or displays an error message.

• The computer uses the hard disk as the startup device.

  The computer typically uses the hard disk as the startup device only when the CD-ROM drive and the floppy disk drive are empty.

There are exceptions where code on bootable media transfers control to the hard disk. For example, when you start your system by using the bootable Windows XP Professional operating system CD, Setup checks the hard disk for Windows XP Professional installations. If one is found, you have the option of bypassing CD-ROM startup by not responding to the Press any key to boot from CD prompt that appears.

You cannot use a nonbootable CD to start your system. The presence of a nonbootable CD in the CD-ROM drive can add to the time the system requires to start. If you do not intend to start the system from CD, remove all CDs from the CD-ROM drive before restarting.

For more information about boot order options, consult your system documentation.

Boot Loader Phase

Ntldr loads startup files from the boot partition and then does the following:

Sets an x86-based processor to run in 32-bit flat memory mode

An x86-based computer first starts in real mode. In real mode, the processor disables certain features to allow compatibility with software designed to run on 8-bit and 16-bit processors. Ntldr then switches the processor to 32-bit mode, which allows access to large amounts of memory and enables Windows XP Professional to start.

Starts the file system

Ntldr contains the program code that Windows XP Professional needs to read and write to disks formatted by using the NTFS or file allocation table (FAT16 or FAT32) file systems.

Reads the Boot.ini file

Ntldr parses the Boot.ini file to determine the location of the operating system boot partition. For systems that use a single-boot configuration, Ntldr initiates the hardware-detection phase by starting Ntdetect.com. For multiple-boot configurations that include Windows XP Professional, Windows 2000, Windows Server 2003, Windows NT 4.0, Windows 95, Windows 98, Windows Me, or MS-DOS, you receive a menu of operating system choices at startup. In addition, if the Recovery Console has been installed, the boot loader menu is displayed during startup with the Recovery Console as one of the available options.

Note Computers running Windows NT 4.0 require Service Pack 4 or later to access NTFS volumes previously mounted by Windows 2000, Windows Server 2003, or Windows XP Professional. For more information about NTFS interoperability, see Chapter 13, “Working with File Systems.”

If you choose Windows XP Professional, Windows 2000, Windows Server 2003, or Windows NT 4.0, Ntldr proceeds with the hardware-detection phase. If you do not select Windows XP Professional, Windows 2000, Windows Server 2003, or Windows NT 4.0, control is passed to the boot sector for the other operating system. For example, if you select Windows 95, Windows 98, Windows Me, or MS-DOS, Ntldr passes control to Bootsect.dos by reading MBR code that Bootsect.dos contains. This action causes the MBR code in Bootsect.dos to execute as if the instructions were read from the disk. For more information about Boot.ini, see “Reviewing and Correcting Boot.ini Settings” later in this chapter.

Detects hardware and hardware profiles

Ntldr starts Ntdetect.com, a program that performs basic device detection. Ntldr then passes Boot.ini information, as well as hardware and software data in the registry, to Ntoskrnl.exe. Ntdetect.com detects hardware profile information (for example, docked and undocked configurations for portable computers) and also checks for information stored in Advanced Configuration and Power Interface (ACPI) tables. ACPI-compliant firmware enables Windows XP Professional to detect device power management features and determine device resource requirements.

For more information about ACPI, see the ACPI link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Detect and Configure Hardware Phase

After processing the Boot.ini file, Ntldr starts Ntdetect.com. Ntdetect.com collects information about installed hardware by using calls to system firmware routines. Ntdetect.com then passes this information back to Ntldr. Ntldr gathers the data received from Ntdetect.com and organizes the information into internal data structures. Ntldr then starts Ntoskrnl.exe and provides it with information obtained from Ntdetect.com.

Ntdetect.com collects the following type of hardware and device information:

• System firmware information, such as time and date

• Bus and adapter types

• Video adapters

• Keyboard

• Communication ports

• Disks

• Floppy disks

• Input devices (such as mouse devices)

• Parallel ports

• Devices installed on the Industry Standard Architecture (ISA) bus

Ntdetect.com plays a greater role for device enumeration in computers that are not ACPI compliant because in those computers, the firmware, not the operating system, determines the resources assigned to devices. For computers with ACPI firmware, Windows XP Professional assigns the hardware resources to use.

During this phase, Ntdetect.com searches for hardware profile information. Windows XP Professional creates a single default profile for desktop computers and creates two default profiles for portable computers. For portable computers, the operating system selects the appropriate profile based on the hardware state of the computer:

• Desktop computer.

Profile 1

• Portable computer.

  • Docked Profile

  • Undocked Profile

Hardware profiles are especially useful for portable computers because the hardware state of these computers is not static. Drivers for devices not listed in a particular hardware profile are not loaded during startup.

For more information about creating and using hardware profiles, see Windows XP Professional Help and Support Center. Also see article 225810, “How to Create Hardware Profiles on Windows 2000–Based Mobile Computers,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Also, see Chapter 9, “Managing Devices,” and Chapter 7, “Supporting Mobile Users.”

Kernel Loading Phase

Ntldr is responsible for loading the Windows kernel (Ntoskrnl.exe) and the hardware abstraction layer (HAL) into memory. The Hal.dll file that your computer uses can vary. During installation, Windows XP Professional Setup copies one of several HAL files and renames the file Hal.dll. (See Table 29-2 for a list of HAL files.)

To view the computer description in Device Manager

1. In the Run dialog box, type devmgmt.msc and then click OK.

2. In Device Manager, expand Computer to view the description of your computer.

   By comparing the description that Device Manager uses to the descriptions listed in Table 29-2, you can determine the HAL file that is copied to your computer from the Windows XP Professional operating system CD.

Table 29-2 Description of Different Hal.dll Files

Computer Description in Device Manager	HAL File Copied
ACPI Multiprocessor PC	Halmacpi.dll
ACPI Uniprocessor PC	Halaacpi.dll
Advanced Configuration and Power Interface (ACPI) PC	Halacpi.dll
MPS Multiprocessor PC	Halmps.dll
MPS Uniprocessor PC	Halapic.dll
Standard PC	Hal.dll
Compaq SystemPro Multiprocessor or 100% Compatible	Halsp.dll

Together, the kernel and the HAL initialize a group of software components that are called the Windows executive. The Windows executive processes the configuration information stored in registry control sets, and starts services and drivers.

For more information about Windows executive services, see “Common Stop Messages for Troubleshooting” on the companion CD.

Control sets

Ntldr reads control set information from the HKEY_LOCAL_ MACHINE\SYSTEM registry key, which is created from information in the systemroot\System32\Config\System file, so that Ntldr can determine which device drivers need to be loaded during startup. Typically, several control sets exist, with the actual number depending on how often system configuration settings change.

Caution Do not edit the registry unless you have no alternative. The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back it up first.

Typical registry control set subkeys are:

• \CurrentControlSet, a pointer to a ControlSetxxx subkey (with xxx representing a control set number, such as 001) designated in the \Select\Current entry.

• \Clone, a copy of \CurrentControlSet, created each time you start your computer.

• \Select, which contains the following entries:

  1. Default, which points to the control set number (for example, 001=ControlSet001) that the system has specified for use at the next startup. If no error or manual invocation of the LastKnownGood startup option occurs, this control set number is designated as the value of the Default, Current, and LastKnownGood entries (assuming that a user is able to log on successfully).

  2. Current, which points to the last control set that was used to start the system.

  3. Failed, which points to a control set that did not start Windows XP Professional successfully. This value is updated when the LastKnownGood option is used to start the system.

  4. LastKnownGood, which points to the control set that was used during the last user session. When a user logs on, the LastKnownGood control set is updated with configuration information from the previous user session.

Ntldr uses the control set identified by the Default value unless you choose the Last Known Good Configuration from the Windows Advanced Options menu.

The kernel uses the internal data structures provided by Ntldr to create the HKEY_LOCAL_MACHINE\HARDWARE key, which contains the hardware data collected at system startup. The data includes information about various hardware components and system resources allocated to each device. To monitor the kernel load process, watch the Starting up progress indicator that appears during startup. For more information about Last Known Good Configuration, see Appendix C, “Tools for Troubleshooting.”

Windows XP Professional supports an extensive set of devices. New or updated drivers that are not on the Windows XP Professional operating system CD are provided by hardware manufacturers. In addition, service packs such as Windows XP Service Pack 2 provide signed drivers for hardware devices that were not available when Windows XP was first released.

Drivers are kernel-mode components required by devices to function within an operating system. Services are components that support operating system functions and applications. Services can run in a different context than user applications and typically do not offer many user-configurable options. Services, such as the Print Spooler, do not require a user to be logged on to run and act independently of the user who is logged on to the system. Windows XP Professional driver and service files are typically stored in the systemroot\System32 and systemroot\System32\Drivers folders and use .exe, .sys, or .dll file name extensions.

Drivers are also services. Therefore, during kernel initialization, Ntldr and Ntoskrnl.exe use the information stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename registry subkeys to determine both the drivers and services to load. For example, Ntldr searches the Services subkey for drivers with a Start value of 0, such as hard disk controllers. After Ntldr starts Ntoskrnl.exe, an Ntoskrnl.exe component searches for and starts drivers, such as network protocols, that have a Start value of 1.

Table 29-3 lists the values (in decimal) for the Start entry. Boot drivers (those with a Start value of 0) and file system drivers are always loaded regardless of their Start value because they are required to start Windows XP Professional.

Table 29-3 Values for a <servicename> Start Entry

Value	Start Type	Value Descriptions for Start Entries
0	Boot	Specifies a driver that is loaded (but not started) by firmware calls made by Ntldr. If no errors occur, the kernel starts the driver.
1	System	Specifies a driver that loads at kernel initialization during the startup sequence by calling Windows XP Professional boot drivers.
2	Auto load	Specifies a driver or service that is initialized at system startup by Session Manager (Smss.exe) or Service Controller (Services.exe).
3	Load on demand	Specifies a driver or service that is manually started by a user, a process, or another service.
4	Disabled	Specifies a disabled (not started) driver or service.

Table 29-4 lists some of the values (in decimal) for the Type entry.

Table 29-4 Values for a <servicename> Type Entry

Value	Value Descriptions for Type Entries
1	Specifies a kernel device driver
2	Specifies a file system driver (also a kernel device driver)
4	Specifies parameters passed to the device driver
16	Specifies a service that obeys the service control protocol, can run in a process by itself, and can be started by the Services Controller
32	Specifies a service that can share a process with other services

Some drivers and services require that certain dependencies be met before they start. You can find dependencies listed under the DependOnGroup and DependOnService entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\servicename subkey for each service or driver. For more information about using dependencies to prevent or delay a driver or service from starting, see “Temporarily Disabling Services” later in this chapter. The Services subkey also contains information that affects how drivers and services are loaded, a few of which are listed in Table 29-5.

Table 29-5 Other Registry <servicename> Entries

Entry	Description
DependOnGroup	At least one item from this group must start before this service is loaded. The subkey SYSTEM\CurrentControlSet\Control\ServiceGroupOrder contains the service group load order.
DependOnService	Lists the specific services that must load before this service loads.
Description	Describes the component.
DisplayName	Specifies the display name of the component.
ErrorControl	Controls whether a driver error requires the system to use the LastKnownGood control set or to display a Stop message. If the value is 0x0 (Ignore, no error is reported), do not display a warning and proceed with startup. If the value is 0x1 (Normal, error reported), record the event to the System Event Log and display a warning message, but proceed with startup. If the value is 0x2 (Severe), record the event to the System Event Log, use the LastKnownGood settings, restart the system, and proceed with startup. If the value is 0x3 (Critical), record the event to the System Event Log, use the LastKnownGood settings, and restart the system. If the LastKnownGood settings are already in use, display a Stop message.
Group	Designates the group that the driver or service belongs to. This allows related drivers or services to start together (for example, file system drivers). The registry entry List in the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\ServiceGroupOrder specifies the group startup order.
ImagePath	Identifies the path and file name of the driver or service if the ImagePath entry is present. Use Windows Explorer to verify the path and file name.
ObjectName	Specifies an object name. If the Type entry specifies a Windows XP Professional service, it represents the account name that the service uses to log on when it runs.
Tag	Designates the order in which a driver starts within a driver group.

Session Manager

After all entries that have Boot and Startup data types are processed, the kernel starts Session Manager. Session Manager (Smss.exe) performs important initialization functions, such as:

• Creating system environment variables.

• Starting the kernel-mode portion of the Windows subsystem (implemented by systemroot
  \System32\Win32k.sys), which causes Windows XP Professional to switch from text mode to graphics mode. Windows-based applications run in the Windows subsystem. This environment allows applications to access operating system functions, such as displaying information to the screen.

• Starting the user-mode portion of the Windows subsystem (implemented by systemroot
  \System32\Csrss.exe).

• Starting the Logon Manager (systemroot\System32\Winlogon.exe).

• Creating additional virtual memory paging files.

• Performing delayed rename operations for files listed in the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  \PendingFileRenameOperations. For example, you might be prompted to restart the computer after installing a new driver or application so that Windows XP Professional can replace the file in use.

The Windows subsystem and the applications that run within it are user mode processes; they do not have direct access to hardware or device drivers. User-mode processes run at a lower priority than kernel-mode processes. When the operating system needs more memory, it can page to disk the memory that is used by user-mode processes. For more information about user-mode and kernel-mode components, see “Common Stop Messages for Troubleshooting” on the companion CD.

Session Manager searches the registry for service information that is contained in the following subkeys:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager contains a list of commands to run before loading services. The Autochk.exe tool is specified by the value of the BootExecute entry and virtual memory (paging file) settings stored in the Memory Management subkey. Autochk, which is a version of the Chkdsk tool, runs at startup if the operating system detects a file system problem that requires repair before completing the startup process. For more information about Autochk and Chkdsk, see Chapter 28, “Troubleshooting Disks and File Systems.”

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  \Subsystems contains a list of available subsystems. For example, Csrss.exe contains the user-mode portion of the Windows subsystem.

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename. The Service Control Manager initializes services that the Start entry designates as Auto-load.

Logon Phase

The Windows subsystem starts Winlogon.exe, a system service that enables logging on and off. Winlogon.exe then does the following:

• Starts the Services subsystem (Services.exe), also known as the Service Control Manager (SCM).

• Starts the Local Security Authority (LSA) process (Lsass.exe).

• Parses the Ctrl+Alt+Del key combination at the Begin Logon prompt.

The Graphical Identification and Authentication (GINA) component collects the user name and password, and passes this information securely to the LSA for authentication. If the user supplied valid credentials, access is granted by using either the Kerberos V 5 authentication protocol or NTLM. For more information about security components, such as LSA, Kerberos V5 protocol, or NTLM, see the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit.

Winlogon initializes security and authentication components while the Service Control Manager initializes Auto-load services and drivers. After the user logs on, the following events occur:

• Control sets are updated.

  The control set referenced by the LastKnownGood registry entry is updated with the contents in the Clone entry. Clone, which is a copy of the CurrentControlSet entry, is created each time you start your computer. When a user logs on, the LastKnownGood control set is updated with configuration information from the previous user session.

• Group Policy settings take effect.

  Group Policy settings that apply to the user and computer take effect. For more information about Group Policy, see Chapter 1, “Planning Deployments;” Chapter 5, “Managing Desktops;” and Chapter 17, “Managing Authorization and Access Control,” and see “Group Policy” in the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit. Also, see the Change and Configuration Management Deployment Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

• Startup programs run.

  Windows XP Professional starts logon scripts, startup programs, and services referenced in these registry subkeys and folder locations:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Runonce

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \policies\Explorer\Run

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
    \Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion
    \Windows\ Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
    \RunOnce

  • systemdrive\Documents and Settings\All Users\Start Menu\Programs\ Startup

  • systemdrive\Documents and Settings\username\Start Menu\Programs\ Startup

  • windir\Profiles\All Users\Start Menu\Programs\Startup

  • windir\Profiles\username\Start Menu\Programs\Startup

The windir\Profiles folders exist only on systems that are upgraded from Windows NT 4.0. For more information on registry keys used for starting programs, see article 179365, “INFO: Run, RunOnce, RunServices, RunServicesOnce and Startup,” in the Microsoft Knowledge Base at http://support.microsoft.com. For additional information, see article 314488, “How to Modify the List of Programs that Run When You Start Windows XP,” in the Microsoft Knowledge Base at http://support.microsoft.com.

Windows XP Professional startup is not complete until a user successfully logs on to the computer.

Plug and Play Device Detection

Plug and Play detection runs asynchronously with the logon process and relies on system firmware, hardware, device driver, and operating system features to detect and enumerate new devices. Windows XP Professional optimizes Plug and Play support for computers equipped with ACPI firmware and enables enhanced features, such as hardware resource sharing.

When Plug and Play components are well coordinated, Windows XP Professional can detect new devices, allocate system resources, and install or request drivers with minimal user intervention. ACPI features are especially useful for mobile users who use portable computers that support standby, hibernation, hot and warm docking, or undocking features.

For more information about Plug and Play device detection and system resources, see Chapter 9, “Managing Devices,” and Chapter 7, “Supporting Mobile Users.”

Following a Process for Startup and Recovery

If you cannot start Windows XP Professional, the operating system provides several ways to identify the cause and resolve the problem.

If the startup problem occurs immediately after updating or installing a specific device driver or application

Restore previous system settings by using the following features:

1. Use the Last Known Good Configuration.

2. If you are in normal or safe mode, undo a device driver update by rolling back a driver.

3. In normal or safe mode, use System Restore to restore a previous system configuration.

The preceding options are not limited to troubleshooting startup problems; they also apply to any problem affecting the operating system.

If you are still unable to start your system in normal mode

Restart your computer in safe mode and disable services and software that might be interfering with startup:

1. Temporarily disable applications and processes.

2. Temporarily disable services.

3. Uninstall software.

If the problem prevents you from starting in safe mode

Try the following:

1. Use Recovery Console to replace corrupted files or to perform other manual recovery operations.

2. Examine and correct the Boot.ini settings.

3. Perform a parallel Windows XP Professional installation, and use Backup to restore operating system files from backup media.

4. Use Automated System Recovery (ASR) in Windows XP Professional Backup to reformat the system partition and restore operating system files from backup media.

Restoring to the Last Known Good Configuration

Use Last Known Good Configuration to correct instability or startup problems by reversing the most recent system and driver changes within a hardware profile. When you use this feature, you lose all configuration changes that were made since you last successfully started your system.

Using the Last Known Good Configuration restores previous drivers and also restores registry settings for the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. Windows XP Professional does not update the LastKnownGood control set until you successfully start the operating system in normal mode and log on.

When you are troubleshooting, use Last Known Good Configuration before you try other options, such as safe mode. However, if you have reasons to use safe mode first, logging on to the computer in safe mode does not update the LastKnownGood control set so, Last Known Good Configuration remains an option even if you use safe mode first.

To access the Last Known Good Configuration startup option

1. Remove all floppy disks and CDs from your computer, and restart your computer.

2. Press F8 when prompted.

   If Windows XP Professional starts without displaying a menu similar to that shown in Figure 29-4, restart your computer. Press F8 after the firmware POST process completes but before Windows XP Professional displays graphical output.

3. On the Windows Advanced Options menu, select Last Known Good Configuration.

When Windows XP Professional starts, it reads status information from the file systemroot\Bootstat.dat. If Windows XP detects that the last startup attempt was unsuccessful, it automatically displays the message and startup options that are shown in Figure 29-1.

Caution If you suspect that changes made since you last successfully restarted the computer are causing problems, do not log on because logging on causes the Last Known Good Configuration control set to be overwritten (unless you log on in safe mode). Instead, restart the computer and use the Last Known Good Configuration. For more information about control sets, see “Kernel Loading Phase” earlier in this chapter.

For more information about the Last Known Good Configuration, see Windows XP Professional Help and Support Center, and also see Appendix C, “Tools for Troubleshooting,” in this book. See also article 307852, “How to start your computer by using the Last Known Good Configuration feature in Windows XP,” in the Microsoft Knowledge Base at http://support.microsoft.com.

Starting in Safe Mode

Safe mode is a diagnostic startup environment that runs only a subset of the drivers and services that are in your system memory. Safe mode is useful when you install software or a device driver that causes instability or problems with starting in normal mode. In most cases, safe mode allows you to start Windows XP Professional and then troubleshoot problems that prevent startup.

Logging on to the computer in safe mode does not update the LastKnownGood control set. Therefore, if you log on to your computer in safe mode and then decide you want to try Last Known Good Configuration, the LastKnownGood control set is still available.

In safe mode, Windows XP Professional uses the minimum set required to start the graphical user interface (GUI). The following registry subkeys list the drivers and services that start in safe mode:

• Safe mode

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal

• Safe mode with networking

  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network

To access safe mode

1. Remove all floppy disks and CDs from your computer, and restart your computer.

2. Press F8 when prompted.

   If Windows XP Professional starts without displaying the menu shown in Figure 29-4, restart your computer. Press F8 after the firmware POST process completes but before Windows XP Professional displays graphical output.

3. On the Windows Advanced Options menu, select Safe Mode, Safe Mode with Networking, or Safe Mode with Command Prompt.

Select a safe mode option from the startup recovery menu that appears when Windows XP Professional detects that the startup attempt was unsuccessful. For more information about the startup recovery menu, see “Restoring to the Last Known Good Configuration” earlier in this chapter.

For more information about safe mode, see Windows XP Professional Help and Support Center and Appendix C, “Tools for Troubleshooting.” Also see article 315222, “A Description of Safe Mode Boot Options in Windows XP,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Rolling Back Drivers

When you update a device driver, your computer might have problems that it did not have with the previous version. For example, installing an unsigned device driver might cause the device to malfunction or cause resource conflicts with other installed hardware. Installing faulty drivers might cause Stop errors that prevent the operating system from starting in normal mode. Typically, Stop message text displays the file name of the driver that causes the error.

Windows XP Professional provides a feature called Device Driver Roll Back, which can help you restore system stability by rolling back a driver update.

Note Use System Information to determine whether a driver on your system is signed and to obtain other information about the driver, such as version, date, time, and manufacturer. This data, combined with information from the manufacturer’s Web site, can help you decide whether to roll back or update a device driver.

To roll back a driver

1. In Control Panel, open System.

2. Click the Hardware tab, and then click Device Manager.

3. Expand a category (Standard floppy disk controller, for example), and then double-click a device.

4. Click the Driver tab, and then click Roll Back Driver.

   You are prompted to confirm that you want to overwrite the current driver. Click Yes to roll back the driver. The roll back process proceeds, or you are notified that an older driver is not available.

   Tip You can also open the System Properties box from the Start menu by clicking Run and typing sysdm.cpl in the Run dialog box. Some Control Panel tools are stored in the systemroot\System32 folder and use a .cpl file name extension. Start frequently used Control Panel tools from the Run dialog box or by creating shortcuts.
   Other frequently used files include Appwiz.cpl (Add or Remove Programs), Hdwwiz.cpl (Add Hardware Wizard), Mmsys.cpl (Sounds and Audio Devices Properties), Nusrmgr.cpl (User Accounts), and Powercfg.cpl (Power Options Properties).

For more information about Device Driver Roll Back and about using System Information to check for unsigned drivers, see Windows XP Professional Help and Support Center, and see also Appendix C, “Tools for Troubleshooting,” in this book. See articles 283657, “How To Use the Roll Back Driver Feature in Windows XP,” and 306546, “How to Use the Driver Roll Back Feature to Restore a Previous Version of a Device Driver in Windows XP,” in the Microsoft Knowledge Base at http://support.microsoft.com.

Using System Restore to Undo Changes

Using System Restore, you can restore your system to an earlier state, a state prior to when you began having problems. System Restore monitors changes to certain system and application files. It functions like an “undo” feature, allowing you to recover from system problems, such as those caused by incorrect system settings, faulty drivers, and incompatible applications. System Restore restores your system state without risk to personal files, such as documents or e-mail.

When you need to restore to an earlier system setting, select a restore point that was created when the system functioned correctly. Restore points are registry “snapshots” that System Restore creates, stores, and manages. System Restore copies monitored files to data stores on hard disk before Windows XP Professional overwrites, deletes, or changes the files.

When Windows XP Professional is running in normal mode, System Restore creates restore points in the background without user intervention. You can also manually create restore points, for example, before installing new hardware or software. In safe mode, you can use restore points but you cannot create them.

To start the System Restore Wizard

• From the Start menu, click Help and Support, click Tools, and then click System Restore.

For more information about System Restore, see Windows XP Professional Help and Support Center and Appendix C, “Tools for Troubleshooting.”

Temporarily Disabling Applications and Processes

If a problem occurs after installing new software, temporarily disable or uninstall the application to verify that the application is the source of the problem.

Problems with applications that run at startup can cause logon delays or even prevent you from completing Windows XP Professional startup in normal mode. The following subsections provide techniques for temporarily disabling startup programs:

• Disabling Startup Programs by Using the System Configuration Utility

• Disabling Startup Programs by Using the SHIFT Key

• Disabling Startup Programs by Using the Group Policy Snap-In

• Disabling Startup Programs for Computers on a Network

• Manually Disabling Startup Programs

Disabling Startup Programs by Using the System Configuration Utility

System Configuration Utility allows you to disable startup programs individually or several at a time. Disable startup programs that do not use the registry to store configuration information but that instead use the Win.ini file. For example, on x86-based computers, use this tool to disable 16-bit startup programs.

To disable a startup program by using the System Configuration Utility

1. In the Run dialog box, type msconfig, and then click OK.

2. To disable startup programs, select the General tab, click Selective Startup, and then click to clear the Process WIN.INI File and Load Startup Items check boxes.

   – or –

   To disable specific startup items, select the Startup or WIN.INI tab, and then click to clear the check boxes that correspond to the items you want to disable. You can also click Disable All on the Startup and WIN.INI tabs to disable all items on each tab.

If you change any startup setting by using the System Configuration Utility, Windows XP Professional displays the following message when you log on:

Note: The following code snippet has been displayed in multiple lines only for better readability. These should be entered in a single line.

You have used the System Configuration Utility to make 
temporary changes to some of your system settings. 
To return to normal operations, choose the Normal 
option on the General tab.

The preceding message and the System Configuration Utility continue to appear each time you log on until you restore the original startup settings by clicking Normal Startup under Startup Selection on the General tab. To permanently change a startup setting, you must move or delete startup shortcuts, change a Group Policy setting, or uninstall the application that added the startup application.

For more information about the System Configuration Utility, see Windows XP Professional Help and Support Center and Appendix C, “Tools for Troubleshooting.”

Disabling Startup Programs by Using the SHIFT Key

One way to simplify your configuration is to disable startup programs. Hold down the SHIFT key during the logon process to prevent the operating system from running startup programs or shortcuts in the following folders:

• systemdrive\Documents and Settings\Username\Start Menu\Programs\Startup

• systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup

• windir\Profiles\Username\Start Menu\Programs\Startup

• windir\Profiles\All Users\Start Menu\Programs\Startup

  The windir folders exist only on computers that are upgraded from Windows NT 4.0.

To disable the programs or shortcuts in the preceding folders, you must hold down the SHIFT key until the desktop icons appear. Holding down the SHIFT key is a better alternative than temporarily deleting or moving programs and shortcuts because this procedure affects only the current user session.

To use the SHIFT key to disable programs and shortcuts in startup folders

1. Log off the computer.

2. In the Welcome to Windows dialog box, press Ctrl+Alt+Del.

3. In the Log On to Windows dialog box, type your user name and password and then click OK.

4. Immediately hold down the SHIFT key. The mouse cursor changes shape from a plain pointer to a pointer with an hourglass. (It might do this several times.)

5. Continue to hold down the SHIFT key until the Windows XP Professional desktop icons appear and the mouse cursor stops changing shape.

Disabling Startup Programs by Using the Group Policy Snap-In

Use the Group Policy MMC snap-in to disable programs that run at startup. Before you use this snap-in, you must be familiar with Group Policy concepts, and you must understand how to view registry entries and change local Group Policy settings.

For information about Group Policy and using the Group Policy snap-in, see Chapter 1, “Planning Deployments;” Chapter 5, “Managing Desktops;” and Chapter 17, “Managing Authorization and Access Control,” and see “Group Policy” in the Distributed Systems Guide of the Microsoft Windows 2000 Server Resource Kit. Also see “Using Group Policy” in Windows XP Professional Help and Support Center and the Change and Configuration Management Deployment Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

If you are uncertain which startup programs to disable, view the registry startup information that appears in certain registry subkeys. For information about viewing registry entries, see “To open Registry Editor” in Windows XP Professional Help and Support Center and Table 29-6, Table 29-7, and Table 29-8.

Caution Do not edit the registry unless you have no alternative. The Registry Editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back it up first.

To disable startup programs by using the Group Policy snap-in

1. In the Run dialog box, type gpedit.msc and then click OK.

2. Under Local Computer, click the plus sign (+) to expand either of the following:

   • Computer Configuration

   • User Configuration

3. Expand Administrative Templates, expand System, and then click Logon.

4. Double-click the Group Policy setting Run these programs at user logon.

5. For the programs that appear in either registry subkey that shows in Table 29-6, do one of the following:

   • To disable all the programs that are listed in the following subkeys, click Disabled.

     Disabling this Group Policy deletes the computer or user Run subkey described in Table 29-6.

   • To selectively disable individual programs that are listed in the computer or user Run subkey, click Enabled, and then click Show. In the Show Contents dialog box, select a program to disable, and then click Remove.

     If you enable the preceding Group Policy settings, the programs listed in the corresponding registry subkeys no longer start automatically when a user logs on to the system.

Table 29-6 Registry Subkeys That List the Programs That Run at User Logon

Group Policy Setting	Run List Controlled by the Group Policy Setting “Run these programs at user logon”
Computer	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Policies\Explorer\Run
User	HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Policies\Explorer\Run

Change additional Group Policy settings to simplify your computer configuration when you are troubleshooting startup problems. Table 29-7 lists the registry subkeys that are controlled by the Group Policy setting Do not process the run once list. If you enable this Group Policy setting, the system ignores the programs listed in the following RunOnce registry subkeys the next time a user logs on to the system.

Table 29-7 Registry Subkeys That List the Programs That Run Once

Group Policy Setting	RunOnce List Managed by the Group Policy Setting “Do not process the run once list”
Computer	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\RunOnce
User	HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\RunOnce

Table 29-8 lists the computer registry subkey that is controlled by the Group Policy setting Do not process the legacy run list. Listed in this registry subkey are a customized list of programs that were configured by using the system policy editor for Windows NT 4.0 or earlier. If you enable this Group Policy setting, the system ignores the programs listed in the corresponding registry subkey when you start your computer. If you disable or do not configure this Group Policy setting, the system processes the customized run list that is contained in this registry subkey when you start the computer.

Table 29-8 Registry Subkey That Lists Customized Legacy Programs

Group Policy Setting	Customized Run List Controlled by the Group Policy Setting “Do not process the legacy run list”
Computer	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run

Group Policy changes do not always take effect immediately. Use the Gpupdate (Gpupdate.exe) tool to refresh local Group Policy changes to computer and user policies. (Gpupdate replaces the secedit /refreshpolicy command used in Windows 2000 to refresh Group Policy settings.) After you refresh the policy, use the Group Policy Result (Gpresult.exe) tool to verify that the updated settings are in effect. For more information about using Gpupdate, see Windows XP Professional Help and Support Center.

Disabling Startup Programs for Computers on a Network

If your computer is on a network, additional steps might be required to disable startup programs that are started by Group Policy settings, roaming user profiles, logon scripts, or scheduled system management tasks. Ask your network administrator for network test accounts that exclude items such as logon scripts that you know are not causing problems on other computers.

To check Group Policy settings, use the Resultant Set of Policy (RSoP) MMC snap-in (Rsop.msc) or the Group Policy Result (Gpresult.exe) tool to view the policies currently in effect for your user and computer accounts. The information provided by these tools can assist you with troubleshooting or help you determine the policy settings that might affect your results.

You can also prevent Group Policy, logon scripts, roaming user profiles, scheduled tasks, and network-related issues from affecting your troubleshooting by temporarily disabling the network adapter and then logging on by using a local computer account.

To disable a network adapter

1. Do one of the following:

   • In Control Panel, open Network Connections.

   • In the Run dialog box, type ncpa.cpl, and then click OK.

2. Right-click the Local Area Connection icon, and then click Disable.

If you use roaming user profiles and do not want to disable the network adapter, temporarily switch to locally cached user profiles. Making this change preserves local diagnostic changes in case you need to log off and log on, or restart the computer. This change also prevents the roaming user profile from overwriting your diagnostic changes each time you log on to the computer.

To switch from roaming user profiles to locally cached user profiles

1. In Control Panel, open System, and then click the Advanced tab.

2. Under User Profiles, click Settings, and then click the name of your user profile.

3. Click Change Type, and then click Local profile.

For more information about roaming user profiles, see Windows XP Professional Help and Support Center and Chapter 5, “Managing Desktops.”

Manually Disabling Startup Programs

Use the Registry Editor Regedit.exe to disable the registry entries for startup programs. For a list of registry subkeys that contain entries for service and startup programs, see “Logon Phase” earlier in this chapter. Some changes will not take effect until you restart the computer.

To prevent startup programs from running, use Windows Explorer or Recovery Console to temporarily move shortcuts in the following folders to another location on the hard disk:

• systemdrive\Documents and Settings\username\Start Menu\Programs\Startup

• systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup

• windir\Profiles\username\Start Menu\Programs\Startup

• windir\Profiles\All Users\Start Menu\Programs\Startup

  The windir folders exist only on computers that are upgraded from Windows NT 4.0.

For the startup program changes to take effect, you must log off or restart the computer and log on again.

For more information about disabling startup programs, see article 270035, “How to Modify the List of Programs that Run at When You Startup Windows,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Ending processes and applications that are not responding

A startup program or a process that stops responding can cause delays or prevent you from logging on to Windows XP Professional. A process is an instance of an application, including the set of system resources that run an application. Use Task Manager to view and selectively end applications and processes, allowing the startup process to continue.

When you are in normal or safe mode, you can also use Task Manager to gather system information, such as CPU and memory statistics.

To start Task Manager

• Press Ctrl+Alt+Del, and then click Task Manager, as shown in Figure 29-2.

The Applications and Processes tabs provide a list of active applications and processes, some of which run in the background and might not show activity. You can use the End Process button to end most of the items listed. Save all data before ending any process because this action can cause the system to stop responding.

You can also customize Task Manager to display more information on the Processes tab.

To display more information on the Processes tab

1. Open Task Manager, and then click the Processes tab.

2. On the View menu, click Select Columns.

3. Select or clear the check box for each item you want to change.

To obtain more information about Task Manager, open Task Manager, and on the Help menu, click Task Manager Help Topics.

Also, processes can be stopped using command-line tools:

• Task List (Tasklist.exe)

• Task Kill (Taskkill.exe)

Task List displays information similar to that displayed by the Task Manager Processes tab. For each process, Task List displays useful information, such as the name of the process, the process identification number (PID), and the amount of memory used.

To end a process, run Task Kill by using the process ID or any part of the process name, such as the title of the application window, as a command-line parameter. For more information about Task List and Task Kill, see Windows XP Professional Help and Support Center.

Preserving the core system processes

When you are deciding which processes to temporarily disable, avoid ending the processes that are listed in Table 29-9. This table lists the core processes that are common to all systems running Windows XP Professional. Knowing the core processes is useful because the source of an application or service-related problem is most likely a noncore process.

Table 29-9 Core System Processes

Core Process	Process Description
Csrss.exe*	An essential subsystem that is active at all times. Csrss.exe is the user-mode portion of the Windows subsystem, and it maintains console windows and creates or deletes threads. Csrss stands for client/server run-time subsystem.
Explorer.exe	An interactive graphical user interface shell. It provides the familiar Windows taskbar and desktop environment.
Internat.exe	When enabled, a process that displays the EN (English) and other language icons in the system notification area, allowing the user to switch between locales.
Lsass.exe*	The local security authentication (LSA) subsystem server component generates the process that authenticates users for the Winlogon service. The LSA also responds to authentication information received from the Graphical Identification and Authentication (GINA) Msgina.dll component. If authentication is successful, Lsass.exe generates the user’s access token, which starts the initial shell. Other processes that the user initiates inherit this token.
Mstask.exe*	The task scheduler service. It runs tasks at a time determined by the user.
Smss.exe*	The Session Manager subsystem, which starts the user session. This process is initiated by the system thread and is responsible for various activities, including starting the Winlogon.exe and Csrss.exe services and setting system variables.
Spoolsv.exe*	The spooler service. It manages spooled print and fax jobs.
Svchost.exe*	A generic process that acts as a host for other processes running from dynamic-link libraries (DLLs). Multiple entries for this process might be present in the Task Manager list. For more information about Svchost.exe, see article Q250320, “Description Of Svchost.exe,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.
Services.exe*	The Service Control Manager can start, stop, and pause system services.
System*	The system process, which is the process in which most kernel-mode threads run.
System Idle*	A separate instance of this process runs for each processor present, and has the single purpose of accounting for unused processor time.
Taskmgr.exe	The process that runs Task Manager.
Winlogon.exe*	The process that manages user logon and logoff. Winlogon runs when a user presses CTRL+ALT+DEL to open the logon dialog box.
Winmgmt.exe*	A core component of client management. This process starts when the first client application connects, or when management applications request its services.

* You cannot use Task Manager to end this process.

For more information about threads, processes, and services, see Windows XP Professional Help and Support Center.

Temporarily Disabling Services

Many services automatically run at startup, but others are started only by users or by another process. The operating system, drivers, and applications that are loaded on a computer determine the services that run. For example, two Windows XP Professional systems with identical hardware installed can be running different services if they have a different set of applications installed.

When you troubleshoot startup issues related to system services, a useful technique is to simplify your computer configuration to reduce system complexity and isolate operating system services. To decrease the number of variables, temporarily close all applications or services and start them one at a time until you reproduce the problem. Always close applications first, before attempting to disable system services.

This section helps you do the following:

• Use service tools to diagnose and resolve startup issues.

• Determine service dependencies.

• Determine the services and processes to temporarily disable.

Using Service Tools to Diagnose and Resolve Startup Issues

Windows XP Professional provides tools that can help you troubleshoot services:

• System Configuration Utility

• Services snap-in (Services.msc)

• SC (Sc.exe)

Disabling Services with the System Configuration Utility

The System Configuration Utility allows you to disable system services individually or several at a time. You can also disable certain services that do not use the registry to store configuration information, but that instead use the System.ini file. For example, on x86-based computers, you can use this tool to disable 16-bit services.

To disable a service by using the System Configuration Utility

1. In the Run dialog box, type msconfig and then click OK.

2. Do one of the following:

   • To disable services, on the General tab, click Selective Startup, and then click to clear the Process SYSTEM.INI File and Load System Services check boxes.

   • To disable specific services, on the Services or SYSTEM.INI tab, click to clear the check boxes that correspond to the items you want to disable. You can also click Disable All on the Services and SYSTEM.INI tabs to disable all items on each tab.

If you change a startup setting by using the System Configuration Utility, Windows XP Professional prompts you to return to normal operations the next time you log on. A prompt and the System Configuration Utility appear each time you log on until you restore the original startup settings by clicking Normal Startup under Startup Selection on the General tab. To permanently change a startup setting, use Control Panel, change a Group Policy setting, or uninstall the application that added the service.

For more information about the System Configuration Utility, see Windows XP Professional Help and Support Center and Appendix C, “Tools for Troubleshooting.”

Disabling Services by Using the Services Snap-in

When diagnosing startup problems, use the Services snap-in (Services.msc) in safe and normal modes to view service information or to temporarily disable a service that is causing problems (for example, a driver mentioned in a Stop message). You must have administrator permissions to disable or change the service startup type. Certain startup changes are not in effect until you restart the computer.

To disable a service by using the Services snap-in

1. In the Run dialog box, type services.msc, and then click OK.

   As Figure 29-3 shows, the Services snap-in displays the name, description, status, and startup type for each service.

2. Double-click a service name and then click the General tab. Record the setting for Startup type so that you can later restore the original value if you find that the change was not helpful.

3. Change the Startup type to Disabled.

After disabling the service, try to start your computer in normal mode. If your system starts normally, research technical information sources to find a permanent solution.

Startup type settings remain in effect even after you restart the system. You must use the Services snap-in to restore the original Startup type setting. On the General tab of the Services snap-in, you can specify the following startup types for services:

• Automatic.

  The operating system automatically starts the service.

• Manual.

  A user or another service starts the service.

• Disabled.

  The service does not start.

  

  Figure 29-3 Services snap-in

Managing Services by Using Sc.exe

As an alternative to using the Services snap-in, use Sc.exe, a command-line tool that communicates with the Service Control Manager and displays information about services running on your computer. Sc.exe gathers the same type of information obtainable from the Services snap-in and performs many functions including:

• Display service information, such as start type and whether you can pause or end a service.

• Change the Startup type of a service.

• Start, pause, or resume a service.

• Disable a service by using the sc config command.

For troubleshooting startup, the sc query and sc config commands are the most helpful. The report that follows is an example of the information shown when you type sc query at the command prompt:

SERVICE_NAME: winmgmt 
DISPLAY_NAME: Windows Management Instrumentation 
        TYPE               : 20  WIN32_SHARE_PROCESS 
        STATE              : 4  RUNNING 
                            (STOPPABLE,PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0) 
        SERVICE_EXIT_CODE  : 0  (0x0) 
        CHECKPOINT         : 0x0 
        WAIT_HINT          : 0x0

For more information about Sc.exe, see Windows XP Professional Help and Support Center.

Determining Service Dependencies

Some services and drivers that rely on other components are initialized before starting. If a service or driver does not start, the cause might be a dependency requirement that is not met. Obtain a list of dependencies by using any of the following methods:

• Navigate to the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename, and examine the information contained in the DependOnGroup and DependOnService entries.

• Start the Services tool, double-click the service you want information about, and then click the Dependencies tab.

• Use the Dependency Walker (Depends.exe) Support Tool. For more information about Dependency Walker, see Appendix C, “Tools for Troubleshooting.”

You can also check the Event Viewer System log to obtain information about services that do not start because of dependency issues.

For more information about the Services snap-in, see Windows XP Professional Help and Support Center. For more information about adding or changing service dependencies for troubleshooting purposes, see article 193888, “How to Delay Loading of Specific Services,” in the Microsoft Knowledge Base. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Determining Which Services and Processes to Temporarily Disable

When you are troubleshooting, the method for determining which services and processes to temporarily disable varies from one computer to the next. The most reliable way to determine what you can disable is to gather more information about the services and processes enabled on your computer.

These Windows XP Professional tools and features generate a variety of logs that can provide you with valuable troubleshooting information:

• Error Reporting service

• Dr. Watson

• Boot logging

• System Information

• Event Viewer

Error reporting service

Windows XP Professional provides a Windows error reporting service that monitors your system for problems that affect services and applications. When a problem occurs, you can send a problem report to Microsoft and receive an automated response with more information, such as news about an update for an application, service, or device driver.

For more information about the Error Reporting service, see Windows XP Professional Help and Support Center, and also see Appendix C, “Tools for Troubleshooting.”

Dr. Watson

If an application error (also known as a program exception) occurs, the Dr. Watson application debugging tool (DrWtsn32.exe) records information about the problem to a log, DrWtsn32.log, located in the systemdrive\Documents and Settings\All Users\Application Data
\Microsoft\DrWatson folder. This log contains the following information:

• The file name of the program that caused the error

• Information about the computer and user under which the error occurred

• A list of the programs and services that were active when the error occurred

• A list of components, such as dynamic-link libraries (DLLs), that were in memory when the error occurred

• Additional information that might be useful if you need to contact technical support about an application that is causing errors

The task and component lists are useful for duplicating the conditions under which an application error occurred. Using the lists as a reference, add or remove programs and services until you reproduce the problem. For more information about the Dr. Watson tool, including an overview of the log file and an explanation of the debugging files, see “Setting up Dr. Watson” and “Using the Dr. Watson log file” in Windows XP Professional Help and Support Center.

Boot logging

Boot logging lists the files that were successfully and unsuccessfully processed during startup. Boot logging enables you to log the Windows XP Professional components that are processed when you start your computer in safe mode and also in normal mode. Compare the differences between the two logs to determine which components are not required to start.

Enable boot logging using either of these methods:

• Edit the Boot.ini file as described in “Reviewing and Correcting Boot.ini Settings” later in this chapter. Add the /bootlog parameter, save the revised Boot.ini, and restart the computer. For more information about the /bootlog parameter, see Table 29-14 later in this chapter.

• Restart the computer and press F8 when prompted. On the Windows Advanced Options menu, select Enable Boot Logging.

Windows XP Professional records in a log, windir\Ntbtlog.txt, the name and path of each file that runs during startup. The log marks each file as successful (Loaded driver) or unsuccessful (Did not load driver). Boot logging appends entries to Ntbtlog.txt when you start your system in safe mode. Comparing normal mode and safe mode entries enables you to determine which services run in normal mode only. The following lines are sample Ntbtlog.txt entries:

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys 
Did not load driver \SystemRoot\System32\DRIVERS\flpydisk.SYS

If you cannot start your computer in normal mode, start it in safe mode. For the services that run only in normal mode, disable those services one at a time, trying to restart your computer in normal mode after you disable each service. Continue to individually disable services until your computer starts in normal mode.

For more information about boot logging, see Windows XP Professional Help and Support Center.

System information

If a startup problem occurs inconsistently and if you can start Windows XP Professional in safe or normal mode, use System Information to view driver and service name, status, and startup information.

System Information enables you to create lists of drivers that were processed during safe and normal mode startup. Compare the differences between the two lists to determine which components are not required to start Windows XP Professional. Use the list of differences to help determine which services to disable. In safe mode, disable a service and then try to restart the operating system in normal mode. Repeat this process for each service until you are able to start in normal mode.

To view service or driver information

1. In the Run dialog box, type msinfo32, and then click OK.

2. Do any of the following:

   • To view service information, click Software Environment and then click Services.

   • To view the state of a driver, click Software Environment and then click System Drivers. Information for each driver is in the State column.

   • To view driver information arranged by category, click Components and then double-click a category, such as Storage.

A related tool, Systeminfo.exe, enables you to view system information, such as processor type, firmware version, and network information, from the command prompt. For more information about System Information and Systeminfo.exe, see Windows XP Professional Help and Support Center.

Event Viewer (Eventvwr.msc)

Use Event Viewer (Eventvwr.msc) to view logs that can help identify system problems. When troubleshooting, use these logs to isolate problems by application, driver, or service, and to identify frequently occurring issues. You can save these logs to a file and specify filtering criteria.

Event Viewer provides three logs for computers running Windows XP Professional:

• Application logs.

  The application log contains events logged by applications or programs. For example, a database program might record read or write errors here.

• Security logs.

  The security log holds security event records, such as logon attempts and actions related to creating, opening, or deleting files. An administrator can specify what events to record in the security log.

• System logs.

  The system log contains information about system components. Use Event Viewer logs to determine which drivers or services did not load.

To use Event Viewer to obtain driver and service error information from the System log

1. In the Run dialog box, type eventvwr.msc, and then click OK.

2. Click System, and on the View menu, click Filter to open the System Properties dialog box.

3. Under Event types, click to clear the Information and Warning check boxes.

4. In the Event source list, click Service Control Manager, and then click OK.

5. Double-click an event entry to view details.

A related command-line tool, Event Query (Eventquery.vbs), searches the event logs using criteria you specify. Event Query allows you to view the Event logs for entries related to specified event properties, including date and time, event ID, and user name.

For more information about using Event Viewer, click the Action menu in Event Viewer and then click Help. For more information about Event Query, click Tools in Help and Support Center.

Uninstalling Software

Simplify your system configuration by uninstalling software, which reduces the number of variables to track and helps you to identify problems more quickly.

If you suspect that an application is causing conflicts, uninstalling software can verify your suspicions. Use Add or Remove Programs in Control Panel to uninstall the software. You can later reinstall applications after locating Windows XP Professional updates or other solutions.

For more information about adding or removing programs, see “Add or Remove Programs overview” in Windows XP Professional Help and Support Center and Appendix C, “Tools for Troubleshooting,” in this book.

Using Recovery Console

If you cannot start your computer in safe mode or by using the Last Known Good Configuration startup option, you can use Recovery Console. With the appropriate permissions, use this command-line interface to start recovery tools, start and stop services, access files on hard disks, and perform advanced tasks, such as manually replacing corrupted system files. You can run Recovery Console from the Windows XP Professional operating system CD, or install it as a startup option.

Infrequently, startup files and critical areas on the hard disk become corrupted. If the corruption is extensive, it might prevent you from starting Windows XP Professional in normal or safe modes, or from using the installed Recovery Console or using the Last Known Good Configuration startup option. In these situations, run Recovery Console from the Windows XP Professional operating system CD.

To start Recovery Console from the Windows XP Professional operating system CD

1. Insert the Windows XP Professional operating system CD into the CD-ROM drive, and restart the computer. When prompted, press a key to start Setup.

2. At the Setup Notification screen, press ENTER.

3. After the Welcome to Setup screen appears, select To repair a Windows XP installation using Recovery Console by pressing R.

   A menu that lists one or more Windows XP Professional installations appears.

4. Type the number corresponding to the installation that you want to use, and then press ENTER.

5. At the prompt, enter the password for the local Administrator account to access the contents of the local hard disk. Recovery Console accepts only the local Administrator account password.

From Recovery Console, you can attempt to replace corrupted files with undamaged copies stored on removable disks, such as a floppy disk or the Windows XP Professional operating system CD.

To use the CD-based Recovery Console, you must set the CD-ROM as the primary boot device (the first item listed in the boot order). If the CD-ROM is not listed as a boot-order option in the computer firmware, you cannot start your system by using the Windows XP Professional operating system CD. You must use startup floppy disks to start Windows XP Professional Setup. For more information about startup floppy disks, see the Getting Started Guide, which comes with Microsoft Windows XP Professional.

Note When you start your system by using the bootable Windows XP Professional operating system CD, Setup checks the hard disk for Windows XP Professional or another Windows operating system, such as Windows 2000 or Windows Me. If another operating system is found, you have the option of bypassing CD-ROM startup by not responding to the Press any key to boot from CD prompt that appears. If you do not press a key within three seconds, Setup does not run and the computer passes control from the CD-ROM to the hard disk.

To install Recovery Console as a startup option

1. With Windows XP Professional running, insert the Windows XP Professional operating system CD into your CD-ROM drive.

2. Click No when prompted to upgrade to Windows XP Professional.

3. In the Run dialog box, type cmd and then click OK.

4. At the command prompt, type:

   drive:\i386\Winnt32.exe /cmdcons

   In the preceding command, drive represents the letter of the CD-ROM or network drive that holds the Windows XP Professional installation files.

5. Restart your computer. Recovery Console appears as an item on the operating system menu when you start your machine.

Using Recovery Console to Disable Services

If you are unable to start Windows XP Professional in normal or safe mode, the cause might be an incorrectly configured driver or service that has caused a Stop message. Stop messages might provide information about the service or driver name, such as a file name. By using Recovery Console, you might be able to disable the problem component and allow the Windows XP Professional startup process to continue in normal or safe mode.

To enable or disable services by using Recovery Console

1. At the Recovery Console prompt, type listsvc.

   The computer displays the service or driver name, startup type, and possibly a friendly driver or service name. Record the name of the driver or service that you want to enable or disable.

2. To disable a driver, type:

   disable drivername

3. To enable a driver, type:

   enable drivername start_type

   Possible values for start_type are:

   • SERVICE_BOOT_START

   • SERVICE_SYSTEM_START

   • SERVICE_AUTO_START

   • SERVICE_DEMAND_START

For more information about Stop messages, see “Common Stop Messages for Troubleshooting” on the companion CD.

Using Recovery Console to Restore the Registry Keys HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SOFTWARE

If the previously discussed recovery methods do not enable you to start Windows XP Professional, try replacing the System and Software files, (in the systemroot\System32\Config folder) with a backup copy from the systemroot\Repair folder. The System and Software files are used by Windows XP Professional to create the registry keys HKEY_LOCAL_MACHINE\SYSTEM and HKEY_LOCAL_MACHINE\SOFTWARE. A corrupted copy of the System or Software file could prevent you from starting Windows XP Professional.

Try other recovery methods before using the manual procedure that follows. The manual procedure enables you to start the operating system, allowing you to perform further repairs by using Windows XP Professional tools.

When using the following procedure, do not replace both the System and Software files as part of a single attempt to start the computer. First replace one file, and then test whether this action resolves the startup problem. If the problem persists, copy the other file. Which file you decide to replace first (the System or Software file), depends on the information that the Stop error displays (hardware or software related).

Using Recovery Console to replace the System file

1. At the Recovery Console prompt, locate the config folder by typing:

   cd system32\config

2. Create backups of the System or Software files by typing:

   copy system <drive:\path\filename>

   – or –

   copy software <drive:\path\filename>

   If they exist, save backups of other files that use file names that start with “system” or “software,” such as System.sav or Software.sav.

3. Replace the current System or Software file by typing:

   copy ..\..\repair\system

   – or –

   copy ..\..\repair\software

4. Answer the Overwrite system? (Yes/No/All): prompt by pressing Y.

5. Restart the computer.

If you are still unable to start your computer, consider performing a parallel operating system installation or an ASR restore operation. For more information about these two recovery options, see “Performing a Parallel Windows XP Professional Installation” and “Saving System Files and Settings by Using Automated System Recovery” later in this chapter. For more information about Stop messages, see “Common Stop Messages for Troubleshooting” on the companion CD.

Consider these points when you replace the System or Software file with a backup copy from the systemroot\Repair folder:

• The System and Software files in the repair folder might not be current. If the files are not c