Appendix E: Startup Sequence Files
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Service Group Order Listing
By viewing the ServiceGroupOrder, you can determine to some extent the order in which device drivers should load and initialize. Individual drivers that are members of a service group will load in the order listed below.
HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Service
GroupOrder:
SCSI miniport
Port
Primary disk
SCSI class
SCSI CDROM class
Filter
Boot file system
Base
Pointer Port
Keyboard Port
Pointer Class
Keyboard Class
Video Init
Video
Video Save
File system
Event log
Streams Drivers
NDIS
TDI
NetBIOSGroup
SpoolerGroup
NetDDEGroup
Parallel arbitrator
Extended base
RemoteValidation
PCI Configuration
Drivers Initiated as Shown by a Kernel Debugger
Viewing a Windows NT computer as it initializes using a Kernel debugger can be useful when you need to determine whether a device driver is loading in the proper order, or is loading at all. The table below is a sample listing of drivers during a Windows NT computer initialization. This listing was created using a Kernel debugger.
Driver |
Group |
Start / Type |
Dependencies |
Comments |
|---|---|---|---|---|
Atdisk.sys |
Primary disk |
4 / 1 |
|
Non-SCSI hard disk |
Ntfs.sys |
File system |
4 / 2 |
|
NT was booting from an NTFS partition. |
Floppy.sys |
Primary disk |
1 / 1 |
|
Floppy driver |
Scsiflop.sys |
Primary disk |
1 / 1 |
SCSI miniport |
Immediately unloaded because no SCSI devices found. |
Scsiscan.sys |
SCSI Class |
1 / 1 |
SCSI miniport |
Immediately unloaded because no SCSI devices found. |
Scsicdrm.sys |
SCSI CDROM Class |
1 / 1 |
SCSI miniport |
Immediately unloaded because no SCSI devices found. |
Cdaudio.sys |
Filter |
1 / 1 |
|
Immediately unloaded because no sound devices found. |
Fs_Rec.sys |
Boot file system |
1 / 8 |
|
File system recognizer |
Null.sys |
Base |
1 / 1 |
|
NULL device driver |
Beep.sys |
Base |
1 / 1 |
|
Speaker driver |
i8042prt.sys |
Pointer Port |
1 / 1 |
|
Keyboard and mouse port driver |
Mouclass.sys |
Pointer Class |
1 / 1 |
|
Mouse class driver |
Kbdclass.sys |
Keyboard Class |
1 / 1 |
|
Keyboard class driver |
Videoport.sys |
|
|
|
Loaded when VGA.SYS is loaded. |
Vga.sys |
Video Init |
1 / 1 |
|
Unloaded and replaced by QV.SYS. |
Qv.sys |
|
|
|
Video driver |
Vga.sys |
Video Save |
1 / 1 |
|
VGA driver |
Msfs.sys |
File system |
1 / 2 |
|
Mailslot file system |
Npfs.sys |
File system |
1 / 2 |
|
Named Pipe file system |
Fastfat.sys |
Boot file system |
4 / 2 |
|
FAT file system driver |
Ndis.sys |
|
|
|
NDIS layer |
Elnkii.sys |
NDIS |
3 / 1 |
|
Network adapter card driver |
Tdi.sys |
|
|
|
TDI layer |
Tcpip.sys |
|
3 / 1 |
NDIS |
TCP/IP protocol |
Netbt.sys |
TDI |
3 / 1 |
NDIS/TCP/IP |
NetBIOS over TCP/IP |
Netbios.sys |
NetBIOSGroup |
3 / 2 |
TDI |
NetBIOS interface |
Parport.sys |
Parallel arbitrator |
2 / 1 |
|
Parallel port support |
Parallel.sys |
Extended base |
2 / 1 |
Parallel arbitrator/ |
Parallel port driver |
Serial.sys |
Extended base |
2 / 1 |
|
Serial port driver |
Mup.sys |
Network |
3 / 2 |
|
Multiple UNC Provider |
Rdr.sys |
Network |
3 / 2 |
|
Workstation service file system driver |
Srv.sys |
Network |
3 / 2 |
|
Server service file system driver |
Afd.sys |
|
2 / 1 |
|
Windows Sockets helper |
Windows NT Services Automatically Started
These services were configured to start automatically on the Windows NT computer. Knowing the services that should start, and the files that are referenced by each service, can be beneficial in isolating and determining problems and resolutions.
Alerter
Computer Browser
Event Log
License Logging Service
Messenger
Net Logon
NT LM Security Support Provider
Server
Spooler
TCP/IP NetBIOS Helper
Workstation (Lanman Workstation)
Windows NT Service Dependencies
The following table lists these services, the DLL each service relies upon, and any dependencies associated with the service. By knowing the dependencies and files, you can troubleshoot a problem more effectively. For example, if you stop the Workstation service, the Alerter, Messenger, and Net Logon services are also stopped, as they are dependent upon the Workstation service. If an error occurs when you try to start the Workstation service, any of these files could be missing or corrupt. This is also why, if you start one of these services, the Service Control Manager will automatically start the Workstation service if it is not already running.
Service |
Executable |
Dependencies |
DLL Called |
|---|---|---|---|
Alerter |
SERVICES.EXE |
LanmanWorkstation |
ALRSVC.DLL |
Computer Browser |
SERVICES.EXE |
LanmanWorkstation, LanmanServer, LMHOSTS |
BROWSER.DLL |
EventLog |
SERVICES.EXE |
|
EVENTLOG.DLL |
License Logging Service |
LLSSRV.EXE |
|
|
Messenger |
SERVICES.EXE |
LanmanWorkstation, NetBIOS |
MSGSVC.DLL |
Net Logon |
SERVICES.EXE |
LanmanWorkstation, LanmanServer, LMHOSTS |
NETLOGON.DLL |
NT LM Security Support Provider |
SERVICES.EXE |
|
NTLMSSPS.DLL |
Server |
SERVICES.EXE |
TDI |
SRVSVC.DLL |
Spooler |
SPOOLSS.EXE |
|
SPOOLSS.EXE |
TCP/IP NetBIOS Helper |
SERVICES.EXE |
Network Provider (LanmanWorkstation) |
LMHSVC.DLL |
Workstation |
SERVICES.EXE |
TDI |
WKSSVC.DLL |
DLLs Called by Services
Occasionally, when you try to start a service, it fails with a message: "System error 126 has occurred. The specified module could not be found." This message may mean that a dependent DLL was not found. By knowing what DLLs are required for the Windows NT services, you can greatly reduce troubleshooting of Windows NT files. The following table lists the DLLs used by the executable files that represent the above Windows NT services.
Executable |
DLLs |
|---|---|
SERVICES.EXE |
ADVAPI32.DLL, KERNEL32.DLL, NETAPI32.DLL, NTDLL.DLL, RPCRT4.DLL, USER32.DLL |
LLSSRV.EXE |
RPCRT4.DLL, NTDLL.DLL, SHELL32.DLL, NETAPI32.DLL, CRTDLL.DLL, ADVAPI32.DLL, KERNEL32.DLL, USER32.DLL |
SPOOLSS.EXE |
ADVAPI32.DLL, KERNEL32.DLL, RPCRT4.DLL, SPOOLSS.DLL, USER32.DLL |
It is also important to realize that, often, one DLL depends on or uses another DLL. The next table lists the DLLs that are used by each of the DLLs in the previous table.
DLL |
Required DLLs |
|---|---|
ADVAPI32.DLL |
KERNEL32.DLL, MCIOLE.DLL, MCIOLE16.DLL, MPR.DLL, NTDLL.DLL, RPCRT4.DLL, USER32.DLL |
CRTDLL.DLL |
KERNEL32.DLL, NTDLL.DLL |
KERNEL32.DLL |
NTDLL.DLL, PSAPI.DLL |
NETAPI32.DLL |
ADVAPI32.DLL, CRTDLL.DLL, KERNEL32.DLL, NETRAP.DLL, NTDLL.DLL, RPCRT4.DLL, SAMLIB.DLL |
NTDLL.DLL |
CRTDLL.DLL, NTDLL.DLL |
RPCRT4.DLL |
ADVAPI32.DLL, KERNEL32.DLL, NTDLL.DLL |
SHELL32.DLL |
ADVAPI32.DLL, GDI32.DLL, KERNEL32.DLL, NTDLL.DLL, USER32.DLL |
SPOOLSS.DLL |
ADVAPI32.DLL, CRTDLL.DLL, KERNEL32.DLL, NTDLL.DLL, RPCRT4.DLL, USER32.DLL |
USER32.DLL |
GDI32.DLL, KERNEL32.DLL, NTDLL.DLL |
Service Dependencies
In this final section, all this information can be tied together. A sample service, Computer Browser, is used to follow the chain of files loaded, including dependencies, during the service initialization.
In order to load the Computer Browser service, the following files need to be loaded and/or accessed:
Computer Browser (SERVICES.EXE) loads BROWSER.DLL.
Browser depends on LanmanWorkstation, LanmanServer and LMHOSTS.
LanmanWorkstation (Workstation service, SERVICES.EXE) loads WKSSVC.DLL.
LanmanWorkstation depends on TDI (TDI.SYS).
TDI.SYS is automatically loaded by the first dependent service, in this case NetBT.SYS.
The Workstation service is bound to the network protocol, in this case TCP/IP (TCPIP.SYS).
TCP/IP is dependent upon NDIS (NDIS.SYS).
TCP/IP is bound to the network adapter card driver, in this case 3Com® Etherlink II® (ELNKII.SYS).
The 3Com Etherlink II adapter driver is dependent upon the 3Com Etherlink II network adapter.
LanmanServer (Server service, SERVICES.EXE) loads SRVSVC.DLL.
LanmanServer depends on TDI (TDI.SYS)
TDI.SYS is automatically loaded by the first dependent service, in this case NetBT.SYS.
The Server service is bound to the network protocol, in this case TCP/IP (TCPIP.SYS).
TCP/IP is dependent upon NDIS (NDIS.SYS).
TCP/IP is bound to the network adapter card driver, in this case 3Com Etherlink II (ELNKII.SYS).
The 3Com Etherlink II adapter driver is dependent upon the 3Com Etherlink II network adapter.
LMHOSTS (TCP/IP NetBIOS Helper service, SERVICES.EXE) loads LMHSVC.DLL.
- LMHOSTS is a member of the Network Provider group, which is dependent upon LanmanWorkstation.
If a Windows NT computer has no networking services configured to automatically start, here is the listing of Kernel mode drivers started. No additional drivers are loaded even through users log on.
Ntoskrnl.exe
Hal.dll
Atdisk.sys
Ntfs.sys
Floppy.sys
Scsiflop.sys
Scsiscan.sys
Scsicdrm.sys
Cdaudio.sys
Fs_Rec.sys
Null.sys
Beep.sys
I8042prt.sys
Mouclass.sys
Kbdclass.sys
Videoprt.sys
Vga.sys
Qv.sysv.SYS
Vga.sys
Msfs.sys
Npfs.sys
Fastfat.sys
Parport.sys
Parallel.sys
Serial.sys
After logging on, a net start command shows no services started. If, at a command prompt, net start browser is issued, the following drivers are loaded:
Ndis.sys—The adapter card is a member of the NDIS group, so NDIS must be initialized.
Elnkii.sys—This protocol is bound to the adapter, so it must be started
Tdi.sys—This driver sits above protocols, so must be loaded.
Tcpip.sys—This is the TCP/IP protocol stack that was started.
Afd.sys—The Ancillary Function Driver is required for TCP/IP Windows Sockets application support
Netbt.sys—NetBIOS, which is over TCP/IP, is required for the Workstation and Server services
Mup.sys—The Multiple UNC Provider, part of the Network group, is required for Workstation service
Srv.sys—This is the Server service Kernel mode component.
Rdr.sys—This is the Workstation service Kernel mode component.
A net start command shows the following services started:
Computer Browser
DHCP Client
Server
TCP/IP NetBIOS Helper
Workstation (Lanman Workstation)
If, at a command prompt, net start messenger is issued, the following driver is loaded:
netbios.sys—Part of the NetBIOS group, which the Messenger service depends upon.
Messenger is added to the list of services currently started.