05.windowsinternals ch5 startup and shutdown by hedongchenchen


									5장 Startup and Shutdown

발표자: 이용석
발표일: 2006년 7월 24일
목   차
Boot Process (x86/x64 계열만)
Troubleshooting Boot and Startup Problems
Boot Process 개괄 (1)
Boot sector
  loads Boot.ini
  Hiberfil.sys on existing this
  Boot.ini entry selection
  if MS-DOS, bootsect.dos
  displays “Staring Windows”
Boot Process 개괄 (2)
  kernel and HAL images
  SYSTEM registry hive
  boot device drivers
  file system driver
  boot drivers
  phase 0
       Interrupts are disabled
Boot Process 개괄 (3)
          memory manager
          object manager
          security reference monitor
          process manager
              prepare thread for phase 1
          Plug and Play manager
       Idle loop
Boot Process 개괄 (4)
  phase 1
       Command Server Thread
       services, device drivers, Lsass
  logon notification from GINA
  shell from GINA
X86 and x64 Boot Process Components
Component            Process Execution       responsibilities
Master Boot Record   16-bit real mode        Reads and loads partition boot sectors
(MBR) code
Boot sector          16-bit real mode        Reads the root directory to load Ntldr
Ntldr                16-bit real mode and    Reads Boot.ini, presents boot menu,
                     32-bit or 64-bit        and loads Ntoskrnl.exe, Bootvid.dll,
                     protected mode; turns   Hal.dll, and boot-start device drivers. If
                     on paging               a 32-bit installation is booted, switches
                                             to 32-bit protected mode; if a 64-bit
                                             installation is booted, switches to 64-
                                             bit long mode
Ntdetect.com         16-bit real mode        Performs hardware detection for Ntldr
Ntbootdd.sys         Protected mode          Device driver used for disk I/O on SCSI
                                             and Advanced Technology
                                             Attachment(ATA) systems where the
                                             BIOS is not used
X86 and x64 Boot Process Components
Component         Process Execution     responsibilities
Ntoskrnl.exe      Protected mode with   Initializes executive subsystems and
                  paging                boot and system-start device drivers,
                                        prepares the system for running native
                                        applications, and runs Smss.exe
Hal.dll           Protected mode with   Kernel-mode DLL that interfaces
                  paging                Ntoskrnl and drivers to the hardware
Smss              Native application    Loads Windows subsystem, including
                                        Win32k.sys and Scrss.exe, and starts
                                        Winlogon process
Winlogon          Native application    Starts the service control manager
                                        (SCM), starts the Local Security
                                        Subsystem (LSASS), and presents
                                        interactive logon dialog box
Service control   Native application    Loads and initializes auto-start device
manager (SCM)                           drivers and Windows services
BIOS (Basic Input/Output System)
 Encoded into the computer’s ROM
 Selects a boot device
 Reads that device’s MBR into memory
 Transfers constol to the code in MBR
MBR (Master Boot Record)
 Scans the primary partition table for bootable
 Reads boot sector into memory and transfers control
Boot sector
 각 file system 별로 다른 boot sector code가 필요
 Read-only & root-directory-capable file system
 Reads Ntldr into memory from the root directory of
 the system volume
 Transfers control to Ntldr’s entry point
 If can’t find
   “BOOT: Couldn’t find NTLDRP” for FAT
   “NTLDR is missing” for NTFS
 Begins real mode
   No virtual-to-physical translation of memory address
   Use only the first 1MB memory
 Switch the system to protected mode
   Still no virtual-to-physical translation
   Full 32bits of memory address becomes accessible
   Can access all of physical memory
 Creating enough page tables to make memory
 below 16MB accessible with paging turned on
 Enables paging
   Boot-code functions briefly switch off paging ‘cause depends on
   BIOS for IDE and display
   For non-IDE (ie. SCSI), loads Ntbootdd.sys which is a copy of
   the SCSI miniport driver
 Reads the boot.ini using built-in file system code.
    Like the boot sector’s code, read-only
    But can read subdirectories
 Clear screen
 If there is a valid Biberfil.sys in the root of the
 system volume
    Read it
    Transferring control to code in the kernel that resumes a
    hibernated system
    Hiberfil.sys will be valid only if the last time the computer was
    shut down it was hibernated
    See Chapter 11 for information on hibernation
 If there is more that one boot-selection entry in
   presents the user with the boot-selection menu
 Selection entries in boot.ini
   direct Ntldr to the partition on which the Windows system
   This partition is the boot partition or another primary partition
 If the boot.ini entry refers to and MS-DOS
   By referring to C:\ as system partition
   Reads the bootsect.dos into memory
   Switches back to 16-bit read mode
   Calls the MBR code in Bootsect.dos
   Continues an MS-DOS-specific boot
 Boot options
   Can included on entries in boot.ini
   Bootcfg.exe tool: setting a number of the switches
   Save to the registry value
 If doesn’t selected within timeout period
   Chooses the default selection
   “default=“ line에서 설정한 path와 matching되는 path를 가진 첫
 Loads and executes Ntdetect.com
   16-bit real-mode program
   Uses a system’s BIOS to query the computer for basic device
   and configuration information
   The time and date information stored in the system’s CMOS
   The types of buses on the system and identifiers for devices
   attached to the bus
   The number, size, and types of disk drivers on the system
   The types of mouse input devices connected to the system
   The types of parallel ports configured on the system
   The types of video adapters present on the system
   This information will be stored under the
   HKLM\HARDWARE\DESCRIPTION registry key later in the boot
 Loads boot drivers
   Windows 2000: displays the “Starting Windows”
   Windows XP and Windows Server 2003: presents a logo splash
 If on an x64 system and kernel for x64
   Switches the processor to long mode (native word size is 64bit)
 Loading the files from the boot volume
   Needed to start the kernel initialization
   The boot volume corresponds to the partition on which the
   system directory
 Loads the appropriate kernel and HAL images
   By default, Ntoskrnl.exe and Hal.dll)
   If fails: prints the message “Windows could not start because the
   following file was missing or corrupt”, followed bye the name of
   the file
 Reads in the SYSTEM registry hive
   Determine which device drivers need to be loaded to accomplish
   the boot
 Scans the in-memory SYSTEM hive and locates all
 boot device drivers
 Boot-device drivers
   drivers necessary to boot the system
   Indicated in the registry by a start value of
    (ex: HKLM\SYSTEM\CurrentControlSet\Services\dmio\Start)
 Adds the file system driver
   The type of partition on which the installation directory resides
   Must load this driver at this time
   If it didn’t, that would introduce a circular dependency
 Loads the boot drivers
   To avoid circular dependency
   Display a progress bar to indicate the progress of the loading
   /SOS switch: displays the filenames of each boot driver instead
   of progress bar
 Prepares CPU registers for the execution of
Boot options (1)
Boot Qualifier   Meaning
/3GB             Increases the size of the user process address space from 2 GB to 3
                 GB (and therefore reduces the size of system space from 2 GB to 1
                 GB). Giving virtual-memory-intensive applications such as database
                 servers a larger address space can improve their performance. For
                 an application to take advantage of this feature, however, two
                 additional conditions must be met: the system must be running
                 Windows XP, Windows Server 2003, Windows 2000 Advanced Server,
                 or Datacenter Server; and the application .exe must be flagged as a
                 3-GB-aware application (applies to 32-bit systems only). (See the
                 section "Address Space Layout" in Chapter 7 for more information.)
/BURNMEMORY=     Causes Windows to write a log of the boot to the file %System-
/BURNMEMORY=     Specifies an amount of memory Windows can't use (similar to the
                 /MAXMEM switch). The value is specified in megabytes. Example:
                 /BURNMEMORY=128 would indicate that Windows can't use 128 MB
                 of the total physical memory on the machine.
/DEBUG           Enables kernel-mode debugging
Boot options (2)
Boot Qualifier   Meaning
/FASTDETECT      Default boot option for Windows. Replaces the Windows NT 4 switch
                 /NOSERIALMICE. The reason the qualifier exists (vs. just having
                 NTDETECT perform this operation by default) is so that NTDETECT
                 can support booting Windows NT 4. Windows Plug and Play device
                 drivers perform detection of parallel and serial devices, but Windows
                 NT 4 expects NTDETECT to perform the detection. Thus, specifying
                 /FASTDETECT causes NTDETECT to skip parallel and serial device
                 enumeration (actions that are not required when booting Windows),
                 whereas omitting the switch causes NTDETECT to perform this
                 enumeration (which is required for booting Windows NT 4).
/MAXMEM=         Limits Windows to ignore (not use) physical memory beyond the
                 amount indicated. The number is interpreted in megabytes. Example:
                 /MAXMEM=32 would limit the system to using the first 32 MB of
                 physical memory even if more were present.
/SOS             Causes Windows to list the device drivers marked to load at boot
                 time and then to display the system version number (including the
                 build number), amount of physical memory, and number of
Ntoskrnl (1)
   A copy of the selected line in boot.ini
   A pointer to the memory tables
      Ntldr generated to describe the physical memory on the
   A pointer to the in-memory copy of the HARDWARE and
   SYSTEM registry hive
   A pointer to the list of boot drivers
 Two-phase initialization process
   Most executive subsystem initialization functions takes a
   parameter that identifies which phase is executing
Ntoskrnl (2)
  // start phase 0
  disable interrupts
           On boot CPU only, systemwide kernel initialization
              On boot CPU, processing the /BURNMEMORY
              phase 0 Initialization routines for 5 managers
           proceeds to Idle loop
  // end of phase 0
Ntoskrnl (3)
 Phase 0
   Interrupts are disabled
   To build the rudimentary structures required to allow the services
   needed in phase 1 to be invoked
   Calls KiSystemStartup
       calls HalInitializeProccessor and KiInitializeKernel for each
       On the boot CPU: performs systemwide kernel initialization
       On other CPUs: calls ExpInitializationExecutive
       responsible for orchestrating phase 0
       Calls HAL function HalInitSystem
Ntoskrnl (4)
   ExpInitializationExecutive on boot CPU
      Processes the /BURNMEMORY boot.ini switch
      Discarding the amount of memory the switch specifies
      참고: /MAXMEM
      Calls phase 0 initialization routines: Memory manager, object
      manager, security reference monitor, process manager, and
      Plug and Play manager
      Gain system control before Windows performs significant
      further initialization
      Prepares the system interrupt controller of each CPU for
      Configures the interval clock timer interrupt, which used for
      CPU time accounting (See Chapter 6 for more on CPU time
Ntoskrnl (5)
   Memory manager’s initialization
      Constructs page tables
      Prepares internal data structures for basic memory services
      Builds and reserves an area for the system file cache
      Creates memory area for the paged and nonpaged pools
   Object manager’s initialization
      Defines the objects that are necessary to construct the
      object manager namespace
      Creates a handle table
   Security reference monitor’s initialization
      Initializes the token type object
      Prepare the first local system account token for assignment
      to the initial process (See chapter 8)
Ntoskrnl (6)
   Process manager’s initialization
      Performs most of its initialization in phase 0
      Defines the process and thread object types
      sets up lists to track active processes and thread
      Creates the System process and a system thread to execute
      the routine Phase1Initialization (not started now, ‘cause
      interrupts are disabled)
   Plug and Play manager’s initialization
      Simply initializes an executive resource used to synchronize
      bus resources
Ntoskrnl (7)
 Phase 1
        Prepare the system to accept interrupts from devices
        Enable interrupts
   Boot video driver
        Windows 2000: Displays the Windows startup screen
        Windows XP, 2003: presents the same graphic that Ntldr
        placed on the screen earlier in the boot
   Power manager’s initialization
   The system time is initialized (by HalQueryRealTimeClock) and
   then stored as the time the system booted
   On a multiprocessor system, the remaining processors are
   initialized and execution starts
   The progress bar is set to 5 percent
Ntoskrnl (8)
   The object manager creates
      the namespace root directory (\)
      \ObjectTypes directory
      The DOS device name mapping directory (\?? On Windows
      2000, and \Global?? On Windows XP and Windows Server
      \DosDevices symbolic link that points at the DOS device
      name mapping directory
   The executive
      Creates the executive object types incluing semaphore,
      mutex, event, and timer
   The kernel initializes
      scheduler (dispatcher) data structures
      System service dispatch table
Ntoskrnl (9)
   The security reference monitor
      Creates the \Security directory in the object manager
      Initializes auditing data structures if auditing is enabled
   The progress bar is set to 10 percent
   The memory manager
      Creates the section object and the memory manager’s
      system worker thread (explained in Chapter 7)
   National language support (NLS) tables mapped into system
   Ntdll.dll is mapped into the system address space
   The cache manager
      Initializes The file system cache data structures
      Creates its worker thread
Ntoskrnl (10)
   The configuration manager
        Creates the \Registry key object in the object manager
        Copies the initial registry data passed by Ntldr into the
        HARDWARE and SYSTEM hives
   Global file system driver data structures are initialized
   The Plug and Play manager calls the Plug and Play BIOS
   The progress bar is set to 20 percent
   The local procedure call (LPC) subsystem initializes the LPC port
   type object
   If the system was booted with boot logging (/BOOTLOG), the
   boot log file is initialized
   The progress bar is set to 25 percent
Ntoskrnl (11)
   The I/O manager initialization
      Initializes various internal structures
      Creates the driver and device object types
      Calls the Plug and Play manager, power manager, and HAL
      to begin the various stages of dynamic device enumeration
      and initialization (See Chapter 9)
      Windows Management Instrumentation (WMI) is initialized
      (see Chapter 4)
      Boot-start drivers are called to perform their driver-specific
      System-start device drivers are loaded and initialization (see
      Chapter 9)
      MS-DOS device names are created as symbolic links in the
      object manager’s namespace
Ntoskrnl (12)
   The progress bar is set to 75 percent
   If the computer is booting in safe mode, this fact is recording in
   the registry
   Unless explicitly disabled in the registry, paging of kernel-mode
   code (in Ntoskrnl and drivers) is enabled
   The progress bar is set to 80 percent
   The power manager initialize various power management
   The progress bar is set to 85 percent
   The security reference monitor creates the Command Server
   Thread that communicates with Lsass (see Chapter 8)
   The progress bar is set to 90 percent
   Create the Session Manager subsystem (Smss)
   The progress bar is (finally) set to 100%
Ntoskrnl (13)
 Phase 1 initialization thread Waits for the handle to
 the Session Manager process with timeout value of
 5 seconds
 If does time out
   the system crashes itself with a
   the Session Manager is assumed to have started successfully
   calls the memory manager’s zero page thread function
   (explained in Chapter 7)
       This system thread becomes the zero page thread for the
       remainder of the life of the system
Smss (1)
 Considered as a trusted part of the operating
 system by Windows
 So, can perform actions such as creating security
 Is a native application
   Doesn’t use Windows APIs
   uses only core executive APIs, the Windows native API
   Because the Windows subsystem isn’t executing when Smss
 Starts the Windows subsystem
 Calls the configuration manager executive
   initializing the registry
Smss (2)
    Fleshing the registry out to include all its keys
 Configuration manager
    Records the paths to the hives it loads in the
    HKLM\SYSTEM\CurrentControlSet\Control\hivelist key
 Creates an LPC port object (\SmApiPort) and two
 threads to wait for client requests
    Requests such as to load a new subsystem or create a session
 Defines the symbolic links for MS-DOS device names
    Such as COM1 and LPT1
 If terminal service is installed
    Creates the \Sessions directory in the object manager’s
    namespace (for multiple sessions)
Smss (3)
 Runs programs automatically
   Defined in HKLM\SYSTEM\CurrentControlSet\Control\Session
   Typically, boot-time version of Chkdsk (autochk)
 Performs Delayed file rename and delete operations
 Opens known DLLs
   The list of DLLs in
Smss (4)
    creates section objects for them in the \Knowndlls directory of the
    Object Manager namespace
 Creates additional paging files
    Manager\Memory Management\PagingFiles
 Initialize the registry
    Fleshes out the registry by loading the registry hives for the
    Hive locations to look for
       \Windows\System32\Config (forced)
Smss (5)
 Creates system environment variables
 Loads the kernel-mode part of the Windows subsystem
    Path to it and its comoments:
    HKLM\SYSTEM\CurrentControlSet\Control\Session Manager
    Changes from the VGA mode to the default resolution chosen for the
 Starts the subsystem process
    Including Csrss
    On windows 2000, POSIX and OS/2 subsystems too
 Starts the logon process (Winlogon)
 Create LPC ports for debug event messages (DbgSsApiPort
 and DbgUiApiPort) and thread to listen on those ports
Smss (6)
 Pending File Rename Operations
   Executable images and DLLs are memory-mapped when they
   are used
   Impossible to update core system files after Windows has
   finished booting
   MoveFileEx has an option to specify that a file move be delayed
   until the next boot
   Type: MULTI_SZ
   Value syntax
        Pairs of filenames
        Source:\??\C:\Long Directory Name\Long File Name.exe
        Target: for delete ‘\u0000’
Smss (7)
 Main thread in Smss waits forever for the process
 handles to Csrss and Winlogon
   If either of these processes terminates unexpectedly
        In Windows 2000: Smss crashes the system
        If Csrss exits in Windows XP and 2003: the kernel crashes
        the system
Winlogon (1)
 Creating the initial window station and desktop
 If a DLL specified in
   Uses that DLL as the GINA
 Otherwise: uses the Microsoft default GINA, Msgina
   Displays the standard Windows logon dialog box
   Creates the service control manager (SCM) process
      Loads all services and device drivers marked for auto-start
Winlogon (2)
 Create the local security authentication subsystem (Lsass)
 process (\Windows\System32\Lsass.exe)
 See the section “Winlogon initialization in Chapter 8
 The registry last known good control set is updated to match
    After SCM initializes the auto-start services and drivers
    After a user has successfully logged on at the console
 Override the definition of a successful boot
    BootOk to 0
    Custom boot verification program
       Calls the NotifyBootConfigStatus
Winlogon (3)
 Waits for an interactive logon notification from the
 Validate the logon (see “User Logon Steps” in Ch 8)
 Loads the registry hive from the profile and maps it
 to HKCU
 Sets the user’s environment variables
 Notifies that a logon has occurred
   Ex) AtiExtEvent
Winlogon (4)
 Tells GINA to start the shell
   Msgina launches the executable or executables specified in
   Userinit (separated by commas)
      By default: \Windows\System32\Userinit.exe
 Userinit.exe performs
   the user scripts
   the machine logon scripts
       Because machine scripts run after user scripts, they can
       override user settings
Winlogon (5)
   Starts \Windows\System32\Proquota.exe
      If group policy specifies a user profile quota
      To enforce the quota for the current user
   Launches the comma-separated shell or shells
      By default: Explorer.exe
 Notifies registered network providers that a user has
 logged in
   The Microsoft network provider, Multiple Provider
   Router(\Windows\System32\Mpr.dll), restores
      The user’s persistent drive letter and printer mappings
      Stored in HCU\Network and HKCU\Printers, respectively
Images that Starts Automatically
 Default system components check and process for
 automatic process startup during boot and logon
 Msconfig utility
   Windows XP and Windows Server 2003
   Displays the images configured by several of the locations
 Sysinternal’s Autoruns tool
Troubleshooting Boot and Startup
Problems 목차
 Windows boot-problem recovery modes
   Last known good
   Safe mode
   Recovery console
 Common boot problems
Windows boot-problem recovery
modes (1)
 Last Known Good (LKG)
   System’s configuration settings:
   Driver and service configuration:
   When booting with last known good menu selection
       Marks the control set that failed by setting the
       HKLM\System\Select\Failed value
       Changes HKLM\System\Select\Current to
       Updates the symbolic link HKLM\System\CurrentControlSet to
       point at the LastKnowGood control set
       Because the new driver’s key is not present, the system will
       boot successfully
Windows boot-problem recovery
modes (2)
 Safe Mode
   Device driver crashes the machine during the boot sequence
      Software and hardware configurations ca change over time
   Concept Windows borrows from Consumer Windows
      Minimal set of device drivers and services
   Four safe-mode variation
      Safe Mode
      Safe Mode With Networking
      Safe Mode With Command Prompt
      Directory Services Restore mode – except Active Directory
      Service, can repair operations on the database
Windows boot-problem recovery
modes (3)
 Recovery Console
   In some situations a safe-mode boot won’t help the system boot
       Ex) If a driver that prevents the system from booting is a
       member of a Safe group
       Ex) A third-party driver, such as a virus scanner driver, that
       loads at the boot prevents the system from booting. (Boot-
       start drivers)
       Ex) A system module or critical device driver file that is part
       of a safe-mode configuration becomes corrupt or when the
       system drive’s Master Boot Record (MBR)
   Boot into a limited command-line shell
   from the Windows CD or boot disks
   to repair an installation without having to boot the installation
Solving Common Boot Problems (1)
 MBR Corruption
    Symptoms: execute the BIOS power-on self test (POST), display BIOS
    version information or OEM branding, switch to a black screen, and then
    hang. “Invalid Partition Table,” “Error Loading Operating System,” or
    “Missing Operating System.”
    Cause: hard-disk errors, driver bug while Windows is running, or
    intentional scrambling as a result of virus
    Resolution: Boot into the Recovery Console and execute the fixmbr
    command. Replace executable code in the MBR. Cannot restore a
    damaged partition table
 Boot Sector Corruption
 Boot.ini Misconfiguration
 System File Corruption
 System Hive Corruption
 Post-Splash Screen Crash or Hang
Solving Common Boot Problems (2)
 Windows File Protection (WFP)
   Within Winlogon
   Implemented in the two DLLs
      Several directories for changes to key drivers, executables,
      and DLLs, including most subdirectories under \Windows
      Using the native API version of ReadDirectoryChangesW
   The file is modified and isn’t MS-signed, rollback with DLLCache
      If non-exist: checks in the network install path or in the
      setup media
Solving Common Boot Problems (3)
 Creating diff between failed and current control set after LKG
 (Last Known Good)
    Run Regedit, and select HKLM\System\CurrentControlSet
    Select Export from the File menu, and save to a file named good.reg
    Open HKLM\System\Select, read the value of Failed, and select the
    subkey named HKLM\System\ControlXXX, where XXX is the value of
    Export the contents of the control set to bad.reg
    Use Wordpad (which is found under Accessories in the Start menu) to
    globally replace all instances of “CurrentControlSet” in good.reg with
    Use Wordpad to change all instances of “ControlXXX” (replacing XXX
    with the value of the Failed control set) in bad.reg with “ControlSet”
    Run Windiff from the Support Tools, and compare the two files
Shutdown (1)
 Logged-on user shutdown by calling ExitWindowsEx
 A message to Csrss instructing it to perform
  Shutdown (1)
      Terminating all the processes in the interactive
      user’s session
                                                  1. call
                     Logged on user

 COM processes                2,5,10. Shutdown msg                             9. Call to terminate
                                                     4. Call with special flag COM processes related
                                                     (each logged on user) with interactive user’s session
   11. terminate
                         Csrss                                        Winlogon
                                          3. Shutdown msg
                                         (Logged on user A)
  7. WM_ENDSESSION                           8. CTRL_LOGOFF_EVENT

           Processes owning
                                       Console Applications
           Top-Level window
Shutdown (2)
 For each the request from Winlogon
   (ie, for each interactive user, not the user who requested a
   In reverse order of their shutdown level
        set by calling SetProcessShutdownParameters
   For each process that owns a top-level window
        For each thread in the process that has a Windows message
          Sends the WM_QUERYENDSESSION message
          If TRUE, the system shutdown can proceed
          Sends WM_ENDSESSION Windows message
          Waits the number of seconds defined in HKCU\Control
          Timeout! : displays the hung-program dialog box
      Terminates the process
EXPERIMENT: Witnessing the
Shutdown (3)
   For each console application
      Sends the CTRL_LOGOFF_EVENT event
      If FALSE: kills the process
      If TRUE or doesn’t respond
          HKCU\Control Panel\Desktop\WaitToKillAppTimeOut
          Displays the hung-program dialog box

 For request from Winlogon by ExitWindowsEx
   Terminates any COM processes that are part of the interactive
   user’s session
 Shutdown (4)
     Send messages to all the processes belonging to the
     system context
                    Logged on user
   Looks at all          (A)
  the processes
   belonging to                    2. Shutdown msg                       1. Call in the system
    the system                                                              Process context

                           Csrss                                    Winlogon

                                         3. WM_QUERYENDSESSION
5. CTRL_SHUTDOWN_EVENT                               4. WM_ENDSESSION

                       SCM                        GUI threads

     6. Service shutdown
       Control message             Registered control handlers
Shutdown (5)
 Although Csrss performs the same timeouts as when
 it was terminating the user process
   Doesn’t display any dialog boxes
   Doesn’t kill any processes
   Simply allow system processes a chance to clean up and exit
   before the system shutdown
   Many system processes are in fact still running when the system
   shuts down: Smss, Winlogon, SCM, Lsass, etc.
Shutdown (6)
 After Csrss has finished its pass notifying system
 processes that the system is shutting down

                  1. call
    Winlogon                  NtShutdownSystem

                                                                    Plug and Play manager,
                                         2. call                        Power manager,
                                                                         I/O manager,
                            NtSetSystemPowerState                   Configuration manager,
                                                                       Memory manager
               3. Orchestrate shutdown

                                                          The rest of
                                                   the executive subsystems
Shutdown (7)
 System shutdown ends in the power manager.
   A shutdown, a reboot, or a power down
 The detailed steps involved in starting and shutting
 down Windows
 We’re ready to explorer the individual executive
 components in more detail, starting with processes
 and threads.

To top