Windows – Startup and Shutdown Procedure

Starting Windows and Shut down it is a very common thing, which everyone knows. But do you know the processes running behind these two tasks? In this article, we are going to discuss all the running processes behind these two very common tasks. Windows Startup process For booting every system, a program called boot loader is required, which is responsible for accessing the file system on the boot drive. This program is also responsible for loading boot-time device drivers into the Read Only Memory. In the newer versions of Windows, the boot loader is called NTLDR. This NTLDR starts ntoskrnl.exe, which loads all the Boot as well as System drivers. After ntoskrnl.exe has done its work, the Windows kernel (Windows NT) starts a program smss.exe (Session Manager Subsystem). The smss.exe starts winlogon, which is responsible for loading graphical identification and authentication library. After this, the Windows logon screen appears. Here user selects the respective Username and enters the Password. When the user successfully enters the password, the startup sound is played. Once, the user has successfully logged in to the machine, Explorer.exe is loaded from the System.ini file. After this, explorer.exe loads a list of all the Startup programs into the memory. It is also responsible for applying User settings. In the newer versions of Windows (Vista and after), the boot loader is called winload.exe and it is loaded into memory by Windows Boot Manager. Windows Shutdown process In windows, the shutdown process is called ExitWindowsEx() process, which is initiated by Win32 API call. When any application or program calls ExitWindowsEx() process to request a shutdown or reboot (restart), then the ExitWindowsEx() process sends a message to winlogon requesting to stop the current session. When winlogon receives the request, it first requests a logout to the user. This request also involves an end-session message as well as an ending all events request. Winlogon also ends all the background processes, sending end process requests again and again. After this, the user account gets logoff. After this, a process called Service Controller is informed that Windows is going to shut down. At last, winlogon tells the Session Manager Subsystem (SMSS) to shut the system down. Here, the Session Manager Subsystem sends a shutdown request to the Session Manager Subsystem’s LPC port. The Session Manager Subsystem’s LPC port informs all other system clients that the system is going to shut down. It tells the clients to terminate their respective processes. After which, it calls another process called NtShutdownSystem(). This process NtShutdownSystem() terminates all the plugged devices and the system is finally in the shutdown state.