![]() ![]() |
![]() ![]() |
![]() ![]() | |
© 1997 The McGraw-Hill Companies, Inc. All rights reserved. Any use of this Beta Book is subject to the rules stated in the Terms of Use. |
Chapter 1
The Windows NT Registry
This section serves as an introduction to the configuration database of pointers known as the Registry. This section examines the internal structure of the registry beginning with the major partitions of the registry known as Hive Keys (HKEYS). A further examination of the registry includes the different keys and subkeys available. The purpose of these keys is to ultimately order the thousands of registry values into a hierarchical order.
Understanding the Registry
Windows NT and the Win32 API uses a system component
called the Registry to provide a database that stores data about
the system configuration in a hierarchical form. The information
stored in the Registry is comparable to the information stored
in initialization files in Windows 3.1 or Windows for Workgroups
3.11. For native NT applications, the Registry takes the place
of .INI files, storing all configuration information in its database.
Each registry key is similar to a bracketed heading
in an .INI file. Changes made to the system configuration that
are made through administrative tools such as the Control Panel
and User Manager are applied to the Registry database.
Some important Registry characteristics are listed
below:
Registry keys can contain subkeys while .INI files cannot contain nested headings.
Registry Hives
The Four Registry Keys are explained below:
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE contains information such as bus type, system memory, device drivers, and startup control data.
Below is an illustration of the HKEY_LOCAL_MACHINE
window in the Registry Editor:
Figure 1-1: Using the Registry Editor to view
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER contains the user profile for the
user who is currently logged in. It includes environment variables,
personal program groups, desktop settings, network connections,
printers, and application preferences. The following are the default
subkeys for HKEY_CURRENT_USER:
The entries under HKEY_CURRENT_USER are mapped directly
to HKEY_USERS\<SID of currently logged on user> . Therefore,
if an entry is added under one of these, it will automatically
be added to the other. This ensures that both keys contain identical
entries.
Below is an illustration of the HKEY_CURRENT_USER
window in the Registry Editor:
Figure 1-2: Using the Registry Editor to view
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
The HKEY_CLASSES_ROOT window is an alias subkey of
HKEY_LOCAL_MACHINE\Software. It serves as an alias to HKEY_LOCAL_MACHINE\Software\Classes.
The information stored here is used to open the right application
when a file is opened from File Manager (file association) and
for Object Linking & Embedding (OLE).
Figure 1-3: The Registry Editor view of HKEY_CLASSES_ROOT
HKEY_USERS
The HKEY_USERS window is the root of all user profiles on the computer. HKEY_CURRENT_USER is a subkey of HKEY_USERS. This predefined handle contains the default system profile, and the profile of the currently logged on user. HKEY_USERS\<SID for currently logged on user> contains the same information as HKEY_CURRENT_USER, and as noted above they are mapped to each other. Currently, HKEY_USERS has the following two subkeys, each of which have the same subkeys as HKEY_CURRENT_USER:
HKEY_USERS\.DEFAULT is the profile that is used while
the Windows NT CTRL+ALT+DEL logon message is displayed. Therefore,
changing the color scheme under this key will change the color
scheme used for the logon screens. It will not be necessary to
modify the Registry for a screen saver to be enabled when the
CTRL+ALT+DEL logon message is on the screen. By default, the logon
screen will use the blank screen saver.
Figure 1-4:HKEY_USERS as seen through the Registry Editor HKEY_CURRENT_CONFIG
The HKEY_CURRENT_CONFIG window contains information
about the hardware profile used by the local computer at system
startup.
Figure 1-5: The Registry Editor view of HKEY_CURRENT_CONFIG.
The HKEY_CURRENT_CONFIG subtree, new to Windows NT
4.0, contains configuration data for the hardware profile currently
in use on the computer. This subtree is actually an alias pointing
to
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current.
The contents of the Hardware Profiles\Current subkey appear in this subtree.
HKEY_CURRENT_CONFIG was added to the Windows NT 4.0 Registry to be compatible with the HKEY_CURRENT_CONFIG subtree in the Windows 95 Registry. Because it was added to Windows NT, applications that use the HKEY_CURRENT_CONFIG subtree can run on both Windows 95 and Windows NT. HKEY_CURRENT_CONFIG contains data that describes the current hardware profile.
A hardware profile is a set of changes to the standard configuration of devices and services (including drivers and Win32 services) loaded by Windows NT when the system starts. For example, a hardware profile can include an instruction to disable (that is, not load) a driver, or an instruction to Windows NT to not connect an undocked laptop computer to the network. Because of the instructions in this subkey, users can modify the service configuration for a particular use while preserving the standard configuration unchanged for more general uses.
The current hardware profile is the one used to start Windows NT. Users can create multiple hardware profiles and, when Windows NT starts, select from them the settings they want. To create hardware profiles, use the System, Services, and Device options in Control Panel. For more information on creating hardware profiles, double-click System in Control Panel, click the Hardware Profiles tab and open Help.
In the Registry, hardware profiles are stored in the Hardware Profiles subkey in all control sets under HKEY_LOCAL_MACHINE\System. The current hardware profile appears in the Current subkey under each Hardware Profiles subkey, and the subkey under CurrentControlSet appears in HKEY_CURRENT_CONFIG.
The data in HKEY_CURRENT_CONFIG consists of profile-specific modifications to the standard service configuration. This standard configuration is defined by data stored throughout the Software and System subkeys of HKEY_LOCAL_MACHINE. Hence, the structure of HKEY_CURRENT_CONFIG is modeled on the structure of HKEY_LOCAL_MACHINE and can be thought of as a limited or condensed version of HKEY_LOCAL_MACHINE.
When the current hardware profile specifies a change to a value entry in the Software or System subkeys of HKEY_LOCAL_MACHINE, the original value in the Software or System subkey is not changed; instead that change is stored in the analogous subkey of HKEY_CURRENT_CONFIG.
Registry Value Types
Value types (or classes) fall into four categories,
each having its own special editor:
REG_BINARY
The REG_BINARY prefix identifies a value entry as
binary. If a value entry is preceded by the prefix REG_BINARY,
the value entry is written as binary data, and you must use the
Binary Editor to edit this value entry. However, if you want
to do so, you can use the Binary Editor in Registry Editor to
edit any value entry, regardless of the format in which the entry
is written.
Figure 1-6: The Binary Editor dialog box in the Registry Editor
You have your choice of entering the format in which
you want your data to appear:
The Binary option will represent your data as binary numbers.
The Hex option will represent your data as hexadecimal
numbers.
REG_SZ
The REG_SZ prefix identifies a value entry as a data
string. A String is a sequence of characters usually representing
human readable text. An Expandable String usually consists of
human readable text also, but contains a variable that will be
replaced by something else when it is called by an application.
For example, in the value entry %SystemRoot%\system32\bootok.exe,
%SystemRoot% is the expandable portion of the variable, and will
be replaced by the actual location of the directory that contains
the Windows NT system files. If a value entry in Registry Editor
has a REG_SZ or a REG_EXPAND_SZ prefix, you can edit the value
entry by using the String Editor.
Figure 1-7: The String Editor windows in the Registry Editor
REG_DWORD
The REG_DWORD prefix identifies a value entry as
a DWORD entry. DWORD refers to data that is represented by a number
that is 4 bytes long. If a value entry contains the prefix REG_DWORD,
the entry is written in the DWORD format. To edit this data,
you need to use the DWORD Editor.
Figure 1-8: The DWORD Editor window in the Registry Editor
When you assign data for REG_DWORD, you have three
numerical representation options that appears in the Radix box.
The Binary option will display your data as a binary (base-2) number.
The Decimal option will display your data as a decimal (base-10) number.
The Hexadecimal option will display your data as
a hexadecimal (base-16) number.
REG_MULTI_SZ
The REG_MULTI_SZ prefix identifies a value entry
as a multiple string. Invokes the Multi String Editor, in which
you can edit multiple strings of data. If the value entry selected
in the right pane of the Registry Editor window is designated
by the value type REG_MULTI_SZ, you need only to double-click
the value entry to invoke the String Editor.
REG_EXPAND_SZ
The REG_EXPAND_SZ prefix indicates that a value entry
is an expandable string.
Table 1-1: Registry Value Types:
Value Type | Description |
REG_NONE | This has no value type or it is unknown due to encryption. |
REG_SZ | A Unicode String (CHAR or Null-Terminated) |
REG_EXPAND_SZ | An Expandable String that can have embedded environment variables. |
REG_BINARY | Binary Data edited/displayed in bit or binary form. |
REG_DWORD | A 32-bit Number (Word, not byte) that can be expressed in HEX, OCTAL, or decimal data. |
REG_DWORD_BIG_ENDIAN | 32-bit number, high byte first. |
REG_LINK | This is a Symbolic Link in Unicode Format |
REG_MULTI_SZ | This is an array of Strings |
REG_RESOURCE_LIST | Hardware Resource Lists found only in the \HARDWARE subkey of HKEY_LOCAL_MACHINE |
REG_FULL_RESOURCE_DESCRIPTOR | Hardware Resource Description found only in the \HARDWARE subkey of HKEY_LOCAL_MACHINE |
REG_RESOURCE_REQUIREMENTS_LIST | Resource Requirements |
The Evolution from .INI files
The Registry has addressed many design issues relating
to configuration. It eliminates many of the burdens placed on
system administrators and users during software and hardware installations.
Earlier implementations of Windows Operating Systems used .INI
files to hold system configuration. This information included
software environment parameters, desktop parameters, and device
driver and hardware configuration. Many problems arose from this
method which would later be fixed by the registry.
Registry Configuration Options not previously Available
in .INI files include:
Standardization of Hardware Configuration
Multiple Levels of Configuration
User-Specific Configuration
Multiple Data Types
Windows 3.1 *.INI entries in the Registry
Entries that deal with .INI file correlation are
found in the following location:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
These are the keys for each of the standard Windows
3.x *.INI files. Under each of the keys for the *.INI files are
entries for each of the standard headings in these files. These
heading entries each contain a string that points to the location
in the Windows NT Registry where the items that were under these
headings in Windows 3.x can be found. Each of these entries begin
with either SYS or USR. SYS can be found under HKEY_LOCAL_MACHINE\SOFTWARE
while USR can be found under HKEY_CURRENT_USER. Based on this,
to find the Patterns entry that was in the CONTROL.INI under Windows
3.x, look in the Registry under:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\control.ini
In the Registry, this key has a Value for Patterns of: USR:Contol Panel\Patterns. This translates into a location of:HKEY_CURRENT_USER\Control Panel\Patterns, for determining what the current, and possible, patterns are on the system.
It is important to be aware that many entries can
be found in more than one location within the Registry. However,
when there are entries in multiple locations, the keys are "mapped"
to one another. This means that when one key is changed, any keys
"mapped" to it will automatically be updated as well,
and vice versa.
Registry File Locations
Physically, the Registry exists as a set of files,
with the Registry being divided into sections referred to as hives.
When Windows NT boots, the majority of the registry is constructed
from these files. All of what is used at bootup builds HKEY_LOCAL_MACHINE.
The various profiles will control the rest of the registry construction.
The following table shows the different Registry hives, and their
corresponding files.
Table 1-2: Major Registry Hives and their origins.
HKEY_LOCAL_MACHINE\SYSTEM \%systemroot%\system32\config\SYSTEM
HKEY_LOCAL_MACHINE\SAM \%systemroot%\system32\config\SAM
HKEY_LOCAL_MACHINE\SECURITY \%systemroot%\system32\config\SECURITY
HKEY_LOCAL_MACHINE\SOFTWARE \%systemroot%\system32\config\SOFTWARE
HKEY_USERS\.DEFAULT \%systemroot%\profiles\Default User\ntuser.dat
HKEY_USERS\<Admin's SID> \%systemroot%\profiles\Administrator\ntuser.dat
HKEY_USERS\<User's SID> \%systemroot%\profiles\%user%\ntuser.dat
The above table shows the hives that are created when Windows NT is first installed. Each time a new user logs onto a system, additional profiles are created for each user, therefore additional HKEY_USERS hives will be created for that user. These files are all located in \%systemroot%\profiles\username. The files in this subdirectory with the extensions of .ALT and .LOG are backups of the hive files. Should the system fail to load because the system hive has a bad sector, Windows NT will automatically switch to the SYSTEM.ALT.
The information regarding the hive files and what
they map to, can also be found in the Registry under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control \hivelist
Subtree Reference
HKEY_LOCAL_MACHINE\SECURITY
HKEY_LOCAL_MACHINE\SECURITY
This key holds all of the security information for
the local computer. By default, it is NOT possible to modify any
of the \SECURITY subkeys, even if logged on as Administrator.
Modifying the default registry key permissions can change this.
However, it is not recommended to do this unless you are manually
saving these subtree for backup purposes. Only in the utmost rarest
of circumstances an administrator will need to manually edit this
subkey.
HKEY_LOCAL_MACHINE\SOFTWARE
This key contains the per-machine software data. In other words, this key contains the configuration information about the software installed on the local system. This information applies to all users of the system and is written to the Registry when a piece of software is installed on the system. The software then can use this key to store environment parameters. By querying this key, it is possible to determine what software is installed on a system. Microsoft even prescribes a convention for how information should be stored under this key:
\SOFTWARE\<Company Name>\<Product Name>\<Version Number>
For example, when you install Microsoft Word 7.0,
Word would create the following:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Word\7.0
Preferences and other user iInformation regarding
the configuration of the application is stored on a per-user basis
the user's profile which is constructed as:
HKEY_CURRENT_USER\Software\<Company Name>\<Product Name>\<Version Number>
This information is written to the Registry at application
runtime, since the user who installed the software may not necessarily
be the user of the application.
HKEY_LOCAL_MACHINE\SOFTWARE\Description
This subkey also contains description information
about the installed applications, as mentioned in the preceding
paragraph.
HKEY_LOCAL_MACHINE\SOFTWARE\Program Groups
The Program Groups subkey under HKEY_LOCAL_MACHINE\Software is redefined in Windows NT 4.0. In previous versions of Windows NT, it contained a list of the program groups used by all users of the local computer. In Windows NT 4.0, program groups have been replaced by the Windows NT Explorer directory structure. Now, this subkey is used only to record-as a yes/no, 0x1/0x0 value-whether all former program groups have been converted to the new directory structure.
The ConvertedToLinks value entry indicates whether the program groups were converted. A value of 1 (0x1) indicates that the conversion is complete.
When Windows NT 4.0 is installed on a computer that
has never run Windows NT, there are no subkeys under the Program
Groups subkey. However, upgraded versions can still contain binary
data for common program groups that appear as Program Groups subkeys.
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes contains data
to associate applications with file types (by filename extension).
It also includes Registry information associated with COM objects.
The data under the Classes subkey is also reflected in HKEY_CLASSES_ROOT.
The Classes subkey contains two types of subkeys:
Filename-extension subkeys: These associate applications with file types by their filename extension. These subkeys contain information you add by using the File Types tab in Windows NT Explorer, information that is added during installation of Windows-based applications, and information about applications installed by Windows NT.
Figure 1-9: Example of filename extensions
Class-definition subkeys: Class-definition subkeys
contain Registry information associated with Component Object
Model (COM) objects. The data in these subkeys specifies the shell
and OLE (COM) properties of an object. If an application supports
dynamic data exchange (DDE), the Shell subkey can contain Open
and Print subkeys that define DDE commands for opening and printing
files, similar to the information stored in the Registry database
under Windows 3.x..
Figure 1-10: Example of Class Definitions.
HKEY_LOCAL_MACHINE\Software\Microsoft
The HKEY_LOCAL_MACHINE\Software\Microsoft subkey contains configuration settings for all of the Microsoft software installed on the computer.
The Windows NT\CurrentVersion subkey is of particular
interest. This subkey contains information about software that
supports services built into Windows NT, as well as data about
the version and type of the current release (multiprocessor versus
uniprocessor). For example, it is possible to run a Windows NT
uniprocessor kernel on a multiprocessor computer, but you do not
get any multiprocessor benefits by doing so.
HKEY_LOCAL_MACHINE\Software\Secure
The Secure subkey provides a convenient place for
applications to store configuration information that should be
changed only by an administrator.
HKEY_LOCAL_MACHINE\Software\Windows 3.1 Migration Status
The Windows 3.1 Migration Status subkey contains data if the computer has been upgraded from Windows 3.x to Windows NT 4.0. The values in this subkey indicate whether upgradable parameters in Windows 3.x .INI and REG.DAT files have migrated successfully to the Windows NT 4.0 format. If this subkey is deleted, Windows NT will again attempt to migrate the files when the system is restarted. There is also a Windows 3.1 Migration Status subkey under HKEY_CURRENT_USER. It tracks the migration of Program Group (.GRP) files to the Windows NT Explorer format.
HKEY_LOCAL_MACHINE\HARDWARE
HKEY_LOCAL_MACHINE\HARDWARE
This key is essentially the installed hardware database
and represents the physical configuration of the machine. This
includes such data as the processor type, bus type, video adapter
type, which interrupts are being used, etc. This data is volatile
and is re-computed each time the system is booted.
HKEY_LOCAL_MACHINE\HARDWARE\Description
This subkey refers to the root of the hardware database built by the operating system loader during the boot process. On ARC compliant systems, this is a copy of the ARC configuration database which is extracted from the system's firmware. On x86 based systems, it is a subkey in the same format as the ARC tree, but it contains whatever data NT DETECT.COM could recognize.
When Windows NT is selected from the OSLOADER menu,
NTDETECT.COM will scan hardware and abstract values that will
then be placed into the HARDWARE subtree. The Windows NT Hardware
Abstraction Layer (HAL.DLL) will then use these parameters for
hardware access.
Each hardware component that is detected has a set
of values associated with it that store configuration data for
that component:
Component Information: contains binary data that identifies among other things, version information.
Identifier: contains the identifier of a component, if specified.
Configuration Data: contains the component specific
information, such as I/O port addresses, IRQ number, etc. This
entry will not be present if the data is not available for a particular
component.
HKEY_LOCAL_MACHINE\HARDWARE\Devicemap
This subkey contains additional subkeys that list
the device drivers which need to communicate the names of the
device objects they have created, along with certain properties
of those device objects to other device drivers, and to user mode
code. For example, video drivers need to communicate to the Windows
NT USER mode subsystems which type of video hardware is associated
with which device object, and what user-mode display DLL should
be bound to it. The \Devicemap subkey offers a solution to this
problem. \Devicemap contains the device class specific data used
by user-mode software that needs to communicate with the device.
HKEY_LOCAL_MACHINE\HARDWARE\Resourcemap
This key is used to track which hardware resources
are in use, and by which drivers. The data stored under this key
is volatile and is therefore recreated each time the system is
booted. All device drivers are expected to report their use of
I/O ports, memory addresses, interrupt vectors, and statically
allocated DMA channels. This allows Windows NT to detect and report
conflicts, in order to guide the installation and configuration
of new devices and drivers.
HKEY_LOCAL_MACHINE\SAM
This key contains the Security Account Manager database,
which contains user and group account information for the local
system if it is a Windows NT system. On the other hand, if the
system is using Windows NT Advanced Server, this key contains
information for the domain. Currently, this key is mapped to HKEY_LOCAL_MACHINE\SECURITY\SAM.
HKEY_LOCAL_MACHINE\SYSTEM
The most important section of the Registry for the
boot process is the HKEY_LOCAL_MACHINE\SYSTEM section. The data
stored under this key is organized into what are called control
sets.
Control Sets
A control set can be thought of simply as an instance
of system parameters. Under HKEY_LOCAL_MACHINE\SYSTEM there will
be four ControlSets:
HKEY_LOCAL_MACHINE\SYSTEM\Clone
This is a volatile copy of the ControlSet the system
booted from (CurrentControlSet). This key is made during the Kernel
Initialization phase (discussed in detail later in this module)
of the boot sequence and is used by the Service Controller (SCREG.EXE).
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001
This is the primary ControlSet and is used, by default,
to boot Windows NT from.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002
This is a backup ControlSet that can be used in the
case of ...\ControlSet001 failing to boot the system.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
This is the ControlSet that Windows NT is booting from. Typically it will be mapped to HKEY_LOCAL_MACHINE\SYSTEM\ControlSet0001.
Each of these ControlSets consists of two subkeys: \Control and \Services.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control
This subkey holds all of the miscellaneous information
necessary to boot Windows NT, such as paging file size, location,
etc.
HKEY_LOCAL_MACHINE\System\Control\ServiceGroupOrder
This subkey contains a value called "list",
which is a list of groups in the order in which they are to be
loaded. For example, we have to load the disk driver before we
can load the file system
HKEY_LOCAL_MACHINE\System\Control\GroupOrderList
This subkey contains one value entry per load Group
specified, each of which list the Tag values (discussed more below)
in the order they are to be loaded.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Select
The Select subkey contains the following named values:
Value Name:Current Data Type: REG_DWORD Range: 0xN, where N identifies a control set
This registry key identifies the control set from which the CurrentControlSet subkey is derived. If this value is 0x1, for example, the subkey producing the CurrentControlSet is ControlSet001.
Value Name: Default Data Type: REG_DWORD Range: 0xN, where N identifies a control set
Identifies the default control set. If this value
is 0x1, for example, the default control set is ControlSet001.
Value name: Failed Data Type: REG_DWORD Range: 0xN, where N identifies a control set
Identifies the control set number of the control
set that was last rejected and replaced with a LastKnownGood control
set.
Value Name: LastKnownGood Data Type: REG_DWORD Range: 0xN, where N identifies a control set
Identifies the last control set that successfully
started the system. If this value is 0x1, for example, the last
control set known to be good is ControlSet001.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control
The Control subkey itself can contain the following
named values:
Value name: Current User Data Type: REG_SZ Range: Username
Specifies the user name for the currently logged-on
user.
Value Name: RegistrySizeLimit Data Type: REG_DWORD Range: 0 -or- Megabytes: 4 - 0xFFFFFFFF (Actual range: 4MB - 80% of paged pool) Default: 25% of the size of the paged pool
Establishes the maximum amount of paged pool space
(and disk paging file space) that can be consumed by Registry
data from all applications. (It does not allocate space in the
paged pool, nor does it assure that the space will be available
if needed.) If the value of this entry is 0, the system adjusts
the RegistrySizeLimit dynamically based on the size of the paged
pool.. If both RegistrySizeLimit and PagedPoolSize are set to
0, PagedPoolSize is set approximately equal to the amount of physical
random access memory on the computer, and RegistrySizeLimit is
set to approximately 25% of PagedPoolSize. If the value of this
entry is 0xFFFFFFFF, the system sets RegistrySizeLimit to 80%
of the size of the paged pool.
Value Name: SystemStartOptions Data Type: REG_SZ Range: String
Contains the text of system arguments passed to the
system by the firmware in RISC systems or by Boot.Ini in Intel-based
computers. These values can be used to determine whether the debugger
is enabled, the options set for ports and speed, and so on. For
example, the following value could be defined for SystemStartOptions:
c:\winnt="WindowsNT" /DebugPort=com1 /DebugBaudRate=56000
In this example, "WindowsNT" in the first
part of the string indicates the Systemroot value specified under
the WindowsNT\CurrentVersion subkey in the Software area of the
Registry. The remaining portion of this string is interpreted
by the system to define the COM port and baud rate for debugging.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\BootVerificationProgram
The BootVerificationProgram key is used to update
the last known good configuration during system startup. This
entry describes a program that will be called by the service controller
to establish the last known good configuration.
The BootVerificationProgram Key can have the following
named values:
Value Name: ImagePath Data Type: REG_SZ or REG_EXPAND_SZ Range: Filename Default: (no entry)
Specifies the filename for a startup verification program.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services
This subkey contains all of the kernel device drivers,
file system drivers, and Win32 service drivers that can be loaded,
as well as if and when they are to be loaded. These entries control
the behavior of the service:
Value entries identify either a service or a device
driver with the following values:
Type: This parameter is a DWORD value and can have one of the following settings:
0x1: Kernel drivers
0x2: File System drivers
0x4: Adapters
0x10: Win32 Services (that do NOT share processes)
0x20: Win32 Services (that do share processes)
Subkeys with a Type of 0x4 (Adapter) contain a set of arguments
for a piece of hardware.
Start: This parameter can have one of the following settings:
0: Boot - Kernel load
0x1: System - Kernel initialization
0x2: Auto - Win32 subsystem start
0x3: Demand - can be loaded by user
0x4: Disabled - never loaded
ErrorControl: This value determines what happens if the driver being loaded, does not load or initialize properly. There are three different ErrorControl levels:
This parameter can have one of the following settings:
0x1 - "Normal". If this occurs, the boot process should ignore the error and proceed.
0x2 - "Severe". If the current boot is not based on the LastKnownGood, the boot process should fail and restart using the LastKnownGood. If the boot process is using the LastKnownGood, the error should be ignored and the boot process should continue.
0x3 - "Critical". A "critical"
error is very much like a "severe", in that it switches
to the LastKnownGood if not using it. However, if the LastKnownGood
is being used, the boot process will fail and an error message
will be displayed.
Group: Group values allow services to be loaded in
an order related to the type of service that they are.
Tag: This value specifies an explicit load order
for the services, within a group.
ImagePath: This value entry specifies the items path
name. The default for a driver is <winnt root>\System32
\Drivers\<drivername>.SYS and for a service is <winnt
root>\System32\<servicename>.EXE. This entry is ignored
for items of the adapters type.
ObjectName: This value entry specifies an object
name. If the service type is a Win32 Service, then this is the
account name the service will use to log itself on when the service
is run. If the service type is Kernel or file system driver, this
name is the Windows NT driver object name, which the I/O Manager
uses to load the device driver. The default for this key is <subkeyname>.
DependOnService and DependOnGroup value: This value
entry specifies zero or more service value entries (DependOnService)
or group names (DependOnGroup), the default being empty. Dependencies
all subkeys to be loaded in an order related to other particular
subkeys they are closely associated with. For example, the NetBEUI
transport depends on an NDIS driver being loaded. That is, in
order for the NetBEUI protocol stack to load successfully, an
NDIS network card driver must have first been loaded.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\<ServiceName>\Parameters
These value entries contain any arbitrary data the
driver writer wants to store
HKEY_LOCAL_MACHINE\SYSTEM\Select
Under this subkey, there are four entries that tell the boot process which ControlSet of drivers and services should be loaded.
The four entries are:
Current: This is the value of the ControlSet that Windows NT is currently using.
Default: Unless told otherwise, NTOSKRNL.EXE uses the ControlSet pointed to by the Default value.
LastKnownGood: This is the value of the ControlSet that last successfully booted Windows NT.
Failed: This is the value of the last ControlSet
that was unable to boot Windows NT. This value will be 0 (zero)
if Windows NT has never failed during the boot sequence.
HKEY_LOCAL_MACHINE\SYSTEM\Setup
This subkey contains information used by the Windows
NT Setup program.
Subkeys of HKEY_LOCAL_MACHINE\System\CurrentControlSet
\Control for All Control Sets
BootVerificationProgram: A value that can be set to define a nonstandard mechanism to declare system startup as "good."
ComputerName: The names of the default and active computers stored in two subkeys, ComputerName and ActiveComputerName. To set the computer name, use the Network option in Control Panel.
GroupOrderList: Specifies the order in which to load services for all groups that have one, used in combination with Tags. ServiceGroupOrder specifies the order for loading groups.
ServiceGroupOrder: Specifies the order in which to load various groups of services. Using the Tags and GroupOrderList entries specifies the order within groups.
HiveList: The location of the files that contain Registry information. This value should be maintained only by the system.
Keyboard Layout: The DLLs for the keyboard language used as the default layout, plus a subkey named DosKeybCodes that lists the other available keyboard layouts. To set keyboard layout, use the Input Locales tab under the Keyboard option in Control Panel.
Lsa: The authentication package for the local security authority. This value should be maintained only by the system-errors can prevent anyone from being able to log on to the computer.
NetworkProvider: Can contain two subkeys, Active and Order, that specify the network provider and the order in which to load providers. Control settings for network providers by using the Network option in Control Panel.
Nls: Information on national language support in three subkeys: CodePage, Language, and OEMLocale. Set preferences about language and locale in Windows NT by using the Regional Settings option in Control Panel.
Print: Information about the current printers and printing environment contained in several subkeys:
Environments - which contains subkeys defining drivers and print processors for system environments such as Windows NT on Digital Alpha, Windows NT on MIPS Rx4000, and Windows NT on Intel-based computers.
Monitors - which can contain subkeys with data for specific network printing monitors.
Printers, which can contain subkeys describing printer parameters for each installed printer.
Providers, which can contain subkeys describing DLLs
for network print services. To change printing parameters, click
the Start button, point to Settings, then point to the Printers
folder.
PriorityControl: The Win32 priority separation. Set this value only by using the System option in Control Panel.
ProductOptions: The product type, such as Windows NT. These values should initially be maintained only by the system. We will discuss controversy revolving this and other registry entries a little bit later in the book.
Session Manager: Global variables used by Session Manager and these subkeys:
DOSDevices - which defines the MS-DOS devices AUX, MAILSLOT, NUL, PIPE, PRN, and UNC.
Environment - which defines the ComSpec, Path, Os2LibPath, and WinDir variables. To set user environment variables, in Control Panel double-click System. To change or add to the computer's default path, or add default system environment variables, change the values in this subkey.
FileRename - Operations, which is used during startup to rename certain files so that they can be replaced. These values should be maintained only by the system.
KnownDLLs - which defines the directories and filenames for the Session Manager DLLs. These values should be maintained only by the system.
MemoryManagement - which defines paging options. Define the paging file by using the System option in Control Panel.
SubSystems - which defines information for the subsystems
installed on the system.
HKEY_CURRENT_CONFIG
The current hardware profile in the CurrentControlSet
subkey also appears in HKEY_CURRENT_CONFIG.
Enum:
The Enum subkey contains hardware configuration data
for devices and drivers loaded by Windows NT.
Hardware Profiles:
The Hardware Profiles subkey contains configuration data for drivers and devices specific to a hardware profile. Users can create multiple hardware profiles for each control set. Data appears under the Hardware Profiles subkey only when it differs from the standard settings for drivers and devices.
System Environment Variables
System environment variables are used by Windows NT to find programs, allocate memory, and control program behavior. The System environment variables are defined by Windows NT, and cannot be changed by the user, unless the Registry is modified.
The system environment variables are found under:
\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Session Manager\Environment
NOTE: User Environment Variables can be edited
in the System dialog under the System Control Panel. For example,
to change the location that the temp variable points to:
1. Click on the temp variable line in the User Environment Variables box.
2. Enter a new value and click the Set button.
Dr. Watson
The Windows NT retail product will include Dr. Watson, DRWTSN32.EXE, also referred to as the Windows NT User Application Debugger, which is similar in functionality to the Windows 3.1 Dr. Watson utility.
Under Windows NT, Dr. Watson is configured to automatically catch any Win32 application errors and generate a log file containing fault information about the offending application. The following data is generated in the Dr. Watson log file:
1. Exception information, such as exception number and name.
2. System information, such as machine name, user name, os version, etc.
3. Task list.
4. A state dump for each thread, including a register
dump, disassembly, stack walk, symbol table.
Enabling/Disabling Dr. Watson
By default, Dr. Watson will be enabled when Windows
NT is installed. To disable Dr. Watson, the following Registry
value must be changed from a 1 to a 0 (zero):
\HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows NT\CurrentVersion\AeDebug
There is an entry called "Auto" that corresponds to how Dr. Watson will startup.
To enable Dr. Watson, change the above "Auto"
value from 0 (zero) to 1. This will then launch whatever debugger,
or application, is under the Debugger registry value. For Dr.
Watson, the Debugger value should contain:
drwtsn32 -p %ld -e %ld -g
This value can be replaced with a debugger contained within whatever development kit
Configuring Dr. Watson
To configure Dr. Watson, start DRWTSN32.EXE from
the command line or a Program Manager icon and use the Dr. Watson
user interface for configuration purposes.
All of the Dr. Watson configuration information is
stored in the Registry under:
\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\DrWatson
Registry Size and Construction
Figure 1-11: How the Registry is constructed
Registry Information
The Registry data is collected from the following sources:
· The Windows NT Setup program.
· The Windows NT x86 hardware detection program (NTDETECT.COM), or on ARC compliant systems, the POST routine.
· Hardware, Software, and their installation software.
· The Windows
NT applets.
The Windows NT Registry is designed to hold all the configuration information for Windows NT and any installed applications. However, an artificial limit of 1 megabyte is imposed on the amount of data that can be stored in the data field of a Value entry. If more than 1 megabyte of data needs to be stored, it is recommended that the data be stored in a separate file and a Registry entry created that points to the file. Because the Registry is designed to hold small objects, this is an artificial limitation that was imposed to prevent Registry abuse.
The Win32 API
Win32 is the native subsystem of Windows NT. It
is an adaptation of the Win16 subsystem. Although it is a proprietary
subsystem, Win32 is likely to become widely used, thereby negating
one of the major problems of a proprietary system. Other subsystem
calls within NT are converted to Win32 services.
The Win32 API is found on three platforms - Win32s,
Windows NT, and Windows '95. To developers, it is the 32-bit version
of the Win16 API: the Application Programming Interface which
has been used for writing windows programs since version 1.0.
It is the combination of data types, definition and functions
which C programmers include as a set of header files. Most of
the functions are implemented in DLLs, to which applications link
at run time.
The core API divides into three sections:
Each is pretty much built on top of the other. In
Windows 95 the services are provided by three DLLS -USER32, KERNEL32
and GDI32, which either implement the calls or pass them down
to their 16 bit predecessors. In Windows NT many of the services
are implemented in Kernel Mode and various forms of inter-process
communication are used to manage this.
Differences from the Win16 API
Initial Differences
The following table explains the majority of differences
between the Win32 API and the Win16 API in terms of application
development.
Why move from Win16 to Win32?
When starting out coding a new program, it is far
easier to write a pure 32 bit app than old 16 bit programs -even
if you used to use the large model. For working 16 bit apps there
are a lot of benefits to be gained by porting to 32 bits.
It can be painful porting, especially during that
phase when you have to support both 16 and 32 builds. However,
for the Long-term, only 32 bit code has a future.
Why not?
If you choose not to upgrade your application to
Win32, then you can still stamp the .exe as requiring Windows
'95, so that the OS will automatically clean up all resources
it has allocated.
Tools for Developers
Microsoft VC++4.x
Version 4.1 came out (March/96), although you can
only buy 4.0 in the shops: you need a subscription to get the
regular updates. Version 4.2 shipped in July 1996: it no longer
supports Win32s and does not apparently install on Windows NT3.51.
So, you have to use Windows NT 4.0. Developers still developing
for NT 3.51 should use Visual C++ 2.0.
The class library supports OCX containers as well
as control development itself, an improved Integrated Development
Environment, over-LAN debugging and copy-on-write strings. Versions
4.0 & 4.1 use the OS to provide all heap management, while
earlier and later versions use their own heap manager for better
performance.
Microsoft VC++2.x
The last version, 2.2 was available on subscription
only. It had the up to date Windows 95 header files and support
for the new common controls. Also Windows95 ships with the base
run time DLLs (MSVCRT20 MFC32) so your app doesn't have to. Cross
compiler for Macintosh and native Mips/Alpha/PPC compilers available
[and dearer].
Note: Does not run under Win32s.
Borland C++5.0. (For Intel platforms only).
A true 32 bit Integrated Development Environment
that can still develop 16 bit and dos applications. OWL 5 provides
wrappers for the common controls and windows sockets. Although
apparently the system does support OCX creation and use, the lack
of OCX support in the Resource Workshop, and the absence of any
OCX Expert, means that it isn't really suitable for OCX development
and use. It does still support VBX's in 32 bit apps though. The
early 5.0 version had a reputation for leaks and bugs Some patches
are available on Borland's Web site http://loki.borland.com/cpp/Patchs.htm.
Version 5.01 ships with the MFC source, so that MFC applications
can also be built with the compiler.
Visual Basic 4.0
Visual Basic 4.0 is the 32-bit successor to Visual
Basic 3.0. It comes with OCX equivalents of all the old VBX's
that it used to ship with, plus a more Object-Oriented language.
How does Visual Basic find Windows API Functions?
As mentioned earlier, all of the functions that comprise the Windows API are located in a set of dynamic link libraries that comprises Windows. Each of these dynamic link libraries has a header that defines which functions in the library can be called by other programs and where they are located in the library. These functions are said to be "exported" from the DLL.
When you write a Visual Basic program, the API functions are called just like Visual Basic functions. How does Visual Basic know which functions are API functions and where to find them? This is accomplished using the Declare statement which takes one of the following forms:
Declare Sub globalname Lib "libname" [Alias "alisaname" ][([argumentlist])]
Declare Function globalname Lib "libname" [Alias "alisaname" ][([argumentlist])] [As type]
globalname is the name of the function as it will
appear in your Visual Basic code when you call it. This is usually
the same as the name of the function in the DLL, but it may be
different, in which case the name of the function in the DLL is
specified as aliasname.
Watcom C++ 10.x
Has a reputation for good code optimization, and
has licensed the MFC class libraries. [Tool of choice by real
programmers. Apparently]
Symantec C++ 7.x
Comes with a licensed version of MFC 3.x.
Borland Delphi 2
A 32 bit version of Delphi, with OLE support added:
automation client and server and "Support for OCX controls".
That means it's a good OCX container but no good for implementing
them.
Office 95/97 macro languages
Visual Basic for Applications and Word Basic are
32 bits wide now. They also have full OLE Automation Support
Newer 32 bit tools
Gnu for Win 32
This is a project underway to port the gnu compiler
to windows 32. The final product probably won't ship with windows.h
-it is intended to help in cross platform portability rather than
windows app development.
Microsoft Visual J++.
Microsoft Visual J++ is a Java compiler that supports
COM, so that Java can be used to write OLE/COM objects and call
out to the Operating System via COM interfaces and the standard
Java packages. Presumably the output will work on all 32-bit windows
platforms.
The other Java compilers -Sun's JDK and Symantec's
Visual Cafe for example, all produce perfectly good applet code,
but lack the Operating System interfaces which one needs for Windows
logo applications. But then, their output runs on all Java platforms.
Other Useful Tools
The NT resource kit is useful, as are many of the
gnu command line tools. It is especially along the lines of application
development and management containing versions of ps.exe and kill.exe
MSDN
The Microsoft Developer Network is an annual subscription
to get a massive amount of CD-ROM's that are full of useful programming
information. They also contain all of the supported operating
systems including their resource kits. The kit comes in three
varieties
The Win32 Software Development Kit:
Win32 SDK is not a standalone compiler. But it does
include some useful tools, including the Multiple Interface Definition
Language compiler for custom COM interfaces.
Other Development Issues
OWL vs. MFC
This is a religious issue that is best not asked.
C++ purists tend to prefer the OWL (Object Windows Library) because
of its effective use of multiple-inheritance, templates and exceptions.
MFC (Microsoft Foundation Classes) can be a bit lower level and
the two phase construction process can seem unnecessary, but it
is often more up to date with respect to windows features (OLE
version 2.0, Explorer Objects).
Figure 1-12: Example of MFC common Controls
Which is the best OS for win32 application development?
This may be a bit of a religious issue too. Windows NT is excellent
for development, mainly because it is so robust and you can still
use other applications during compiles. It does use a fair bit
of RAM, even before you add the compiler's requirements. Developing
16 bit apps in NT is good too, simply because you can reboot the
16 bit subsystem so easily.
Windows 95 is not quite as robust as NT, but it runs
better on a lower-end machine. If you want to use libraries for
which there are no current NT equivalents then win95 is a must
(or you can cheat and have two computers]. Extensive use of the
win95 shell also provides valuable experience in the new user
interface that is required to write a true Windows 95 application.
As more "consumer-class" functionality is added to Windows
NT, the need for using win95 may lessen.
Win31 and Win32s is not really suited for application development. Borland C++ certainly can be used in this situation, but not Visual C++. For others, consider relegating this platform to a test environment if a Win32s version is required.
Porting
When we speak of "porting", we are referring
to the act of taking an application from one platform and translating
to run on another platform. Initially, it is easier to go from
16 bit to 32 bits than the other way around. There is usually
a prescribed process to doing so:
1.Get the 32 bit version of your development tools.
2.Get the 32 bit versions of any support DLLS/VBXs
3.Read the "Creating Great Applications for
Windows 95" and "windows 95 logo requirements"
articles and understand the implications.
Trying to compile your program with a 32-bit compiler
is usually the first big step: fix all the errors it shows and
then see if it works when it is run.
A raw API app can just be rebuilt, using PORTTOOL.EXE
to help you. Using the "windowsx.h" macros and message
crackers can assist you here. Class libraries often provide the
message cracking for you, so make life a bit easier. Opening up
the project in Visual C++ and rebuilding can port MFC Apps fairly
quickly. In terms of the OWL-based apps, you might want to create
a new 32-bit target or a new project with a 32 bit exe as the
destination.
Implementations of the Win32 API
Windows NT
Windows NT native applications are Win32 applications.
This makes those applications more powerful, robust, and faster.
Table 1-3: Areas of Windows NT Covered by the
Win32 API
Atoms | Networks |
Child Controls | Pipes and Mailslots |
Clipboard Manipulations | Printing |
Communications | Processes and Threads |
Consoles | Registry Database Manipulation |
Debugging | Resources |
Dynamic-Link Libraries | Security |
Event Logging | Services |
Files | Structured Exception Handling |
Graphics Drawing Primitives | System Information |
Keyboard and Mouse Input | Tape Backup |
Memory Management | Time |
Multimedia Services | Windows Management |
Win95 (Win32c)
With the release of Windows '95, application programmers
are moving to port their applications to the Win32 API. However,
there is some difficulty in making Windows '95 applications binary-compatible
with Windows NT's Win32 subsystem. This is due to the Windows
NT executive services. There are also significant differences
between Windows '95 and Windows NT's memory-mapped file API. Under
Windows '95, memory-mapped files are based in the system address
range (>2GB) while under Windows NT the memory mapped files
are based in the process address space (<2GB).
Many developers have assured the 32-bit compatibility
of applications between Windows '95 and Windows NT. Microsoft
also requires Windows '95 applications to work under Windows NT
as well in order to get the Windows-flag compatibility stamp.
Figure 1-13: A Windows '95 Application
Win32s: Windows 3.x (Win32 on Win 16)
Win32s consists of a few Dynamic-Link Library files
and Virtual Device Drivers that add Win32 API functions to the
16-bit Windows 3.x system. Microsoft created Win32s to allow developers
to begin writing 32-bit code before the release of Windows 95
and Windows NT.
It is a set of modules that enable 32 bit windows
applications to run under Windows 3.1. Only a subset of the Win32
API is implemented, hence the 's' in the name. Many 32 bit apps
work with Win32s (Netscape, PhotoShop 3.0), but many do not (Visual
C++2.0 onwards)
Although the kernel and GDI of win95 is clearly "cut-down"
compared to NT, with 20 million copies sold [April 95], it is
probably already the dominant platform for 32 bit windows applications.
Win32 Extension Libraries
There are many extension libraries to Win32. In fact,
it seems that everyday, Microsoft is coming out with a new set
of technologies alongside a code name. I practically have to review
my Microsoft code words at the end of the week so when I give
lectures, I can ensure myself that I am using the right word for
the right set of technologies. Here are a few common Win32 extension
libraries.
OpenGL
Ships with NT and available on win95 as extra DLLs
from MSDN II.
WinG
Was used in Graphics/ Gaming Development, however
its use is disparaged. Offered little above CreateDIBSection apart
from a decent halftoner and a profiler applet. DirectX is the
future of gaming under windows.
DirectX Games SDK
There are several different implementations of Direct
X. Direct allows for optimization of games and until NT runs on
Nintendo, it will be the future of NT gaming. It allows for certain
calls to go directly to multimedia hardware. Here is a brief manifest
of Direct X:
DirectX 1.0 (DirectPlay, DirectDraw, DirectSound, DirectInput) Win95 only.
DirectX 2.0 : DirectX 1 plus Direct3D Included in NT 4.0. Win95 & NT from Summer 1996. NT4 gets Direct 3D in from Service Pack 1, with hardware assist for 3D rendering in SP2.
DirectX 3.0: Available in both as of August 96.
Windows for Pens
Win95 only. All Win95 installations include an ink
renderer DLL.
Explorer/New Shell
In Win95 and NT from versions 4,0 onwards.
TAPI32
Telephony support. Win95 and NT4 . The unimodem/V drivers which work well with voice
modems are available on the MS Web site.
TOOLHELP32
For win95 only. Debugging functions of little use
to most programmers now that SEH can trap exceptions in your own
code.
WINSOCK2
Available with NT4 and as an add on to win95. No
16 bit or NT3.x versions are planned.
ActiveX, the Internet SDK
An umbrella term for Microsoft technologies that
enable developers to create interactive content for the World
Wide Web. ActiveX Controls provide a new technique for enhancing
web pages. These controls can also be implemented directly in
a standard HTML application.
OLE
Prior to OLE, integration of multiple applications
into a single custom solution could only be accomplished through
a technology known as Dynamic Data Exchange (DDE). DDE proved
very difficult to work with as it required execution of numerous
commands-commands for establishing DDE channels and then passing
commands from one application to another. DDE was also plagued
by slow performance. While many applications still supports DDE
calls, the preferred method of application communication is OLE.
OLE Automation
OLE Automation is a major advancement in cross-application
programmability. While not only demonstrating a substantial improvement
in performance, cross-application development via OLE Automation
is also easier and more efficient than with DDE. With OLE Automation,
instead of sending commands over channels (as was the case of
DDE), a developer can access another application's objects as
though they were native to the application. For example, because
Microsoft Excel 5.0 and Microsoft Project 4.0 both support OLE
Automation, a developer can write a Visual Basic for Applications
macro in Microsoft Project that accesses Microsoft Excel's objects-and
actually sets the properties of and calls the methods of such
objects as though they were native to Microsoft Excel.
Figure 1-14: Inserting an OLE/COM object
OLE Controls
File Type Definitions:
VBX: A custom 16-bit Control used with Visual Basic Modules which can also be devloped in C or C++.
OCX: 16 or 32-bit OLE Controls developed in either
C,C++, or Visual Basic.
Component Object Model (COM) of OLE.
Briefly, COM provides the plumbing needed for applications
to use services on a distributed and cross-platform basis. The
beauty of this model is that it means that you will probably never
need to write to low-level APIs to enable distributed computing
applications. Instead, you will either write or use COM-enabled
applications and derive support for DCE and other distributed
environments in the process. These abilities are provided by the
inclusion of core distributed computing support within the design
of Windows NT.
Distributed Component Object Model
Figure 1-15: Looking at DCOM Properties via the DCOMCNFG.EXE utility
A distributed component architecture applies these benefits across a broader scale of multi-user applications. The Distributed Component Object Model (DCOM) has three unique strengths that make it a key technology for achieving this:
COM is based on the most widely used component technology today. DCOM is simply "COM with a longer wire"-a low-level extension of the Component Object Model, the core object technology within Microsoft® ActiveX.
DCOM is the Microsoft networking technology to extend component applications across the Internet. Because it is an ActiveX technology, DCOM works natively with Internet technologies like TCP/IP, the Java language, and the HTTP network protocol, providing "object glue" that will enable business applications to work across the Web. DCOM enables distributed Java today without requiring any communications-specific code or add-ons such as "remote classes."
DCOM is an open technology that runs on multiple platforms. Microsoft is openly licensing DCOM technology to other software companies to run on all of the major operating systems, including multiple implementations of UNIX-based systems.
DCOM Security
The COM/DCOM security model enables the creation
of secure distributed applications. COM security can be applied
to both existing (legacy) COM components via external configuration
as well as new COM code via the COM security APIs and interfaces.
Figure 1-16: Looking at DCOM Security options via DCOMCNFG.EXE
Services
A service is a process that can run on an NT box
without a user being logged in, effectively acting as part of
the operating system. It is similar to a Unix Daemon or a Netware
Loadable Module. It gains the same rights as a user with the API
functions LogonUser, ImpersonateUser Parameters for services are
not easily changed. The registry should be used to store configuration
information, so the service must check for the registry settings.
Running an existing program as a service
There's an example of this in the NT resource kit.
It contains the two utilities - INSTSRV.EXE and SRVANY.EXE. They
allow administrators to set up applications to function as services.
Table 1-4: Basic Default Services and NetBIOS-Dependent
Services.
Alerter | Along with the Messenger service, generates warning messages to administrators about NetBIOS based events, messages, and problems. |
Clipbook Server | Allows sharing of Clipbook pages to network users. |
Computer Browser | Allows browsing the network for resources shared by other workstations. |
Directory Replicator | Performs directory replication service for administrators to easily copy complete directories to multiple workstations. |
Event Log | Monitors the workstation's use by local and remote users, recording events of significance. Also reports internal error conditions such as malfunctioning hardware, etc. |
Messenger | Sends and receives messages in conjunction with the Alerter Service. The Main value of supporting the messenger service is that you can then receive Service Message Blocks (SMB's) from other networked machines. It uses your username and your workstation name in the NetBIOS name table, with a hex 03 appended to the end of each name. |
Net Logon | Used to verify the authenticity of users logging on to a workstation, workgroup, or domain. |
Network DDE | Required for dynamic data exchange between workstations |
Network DDE DSDM | DDE Shared Database Manager. This service is used by Network DDE. |
NT LM Security Support Provider | Supplies Windows NT Security to RPC Applications that do not use LAN Manager named pipe transports. |
OLE | Provides OLE Support to applications. |
Remote Procedure Call Locator | Used by the RPC to locate available workstations to process remote procedure calls. |
Remote Procedure Call | Its primary use is to support client access to the NT machines. Also a necessary InterProcess Communication Mechanism for Client-Server Computing. |
Schedule | Required for prescheduled commands, such as automated backups, to run at a specified time. |
Server | This refers to a service that allows a device to accept requests from another computers redirector. This is the MS-NET's Network File System Mounter. |
Spooler | Allows a workstation to spool printer files. |
UPS | Monitors the Uninterruptable Power Supply and instructs the system to issue warnings, save files, and shut down prior to power outages. |
Workstation | The redirector service that allows access to shared resources. |
DLLs: Dynamic Linked Libraries
It is a collection of functions which do not constitute
a process, but which can be loaded into a process and invoked.
The loading is done at run time rather than at compile time (those
are static libraries). DLLs have a special entry point DllMain
that is invoked when processes and threads are attached and detached,
allowing data structures to be created and destroyed appropriately.
A lot of the system is implemented in DLLs, even
though their extension changes somewhat. The file types OCX, CPL,
DRV are all really DLLs.
In windows 3.1 each DLL had only one instance of
its data segment regardless of the number of applications using
it. In Windows 32 a DLL can be marked as shared, for the same
behavior, but the default is for each process to have a private
copy of the DLLs data.
Why Create a DLL?
There are several reasons to create and take advantage of Dynamic-Linked-Libraries. Most of revolves around process and task management. Specific reasons-include:
DLL's and the Registry
The following Registry Key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLS
is used heavily by Windows NT to inject DLLs into
address spaces for use by active processes. The value for this
key might contain a single DLL pathname or a set of DLL pathnames
divided by spaces. When you restart your machine and Windows NT
initializes, the Win32 subsystem saves the value of this key.
Then, whenever the USER32.DLL library is mapped into a process,
it retrieves the value from this key and calls a LoadLibrary function
for each DLL specified in the string. One important thing to discuss
is that the USER32.DLL does not check whether each library has
been successfully loaded or initialized.
Windows '95 and the Registry
Windows '95 is a Win32 Operating system in theory
although limited. The same goes for its registry. While many of
the shell properties are commonalties between 95 and NT 4.0, there
are some differences, due to the underlying structure of the operating
systems.
Windows 95 writes much of its configuration information
into hidden SYSTEM.DAT and USER.DAT files, which are found in
the C:\Windows directory. If the system is configured for profiles
(multiple users), a separate USER.DAT file is created for each
user, and each such file is found in the user's own profile directory.
Here is a table displaying the comparisons of the
files used to construct the registry in both Windows '95 and Windows
NT:
Table 1-5: Construction of the Windows '95 Registry
Windows NT | Windows '95 |
SYSTEM
SOFTWARE SAM SECURITY DEFAULT Volatile Hardware Detection | System.dat |
NTUSER.DAT | USER.DAT |
The Registry is divided into a structure similar to Windows NT.
There are six HKEY's (Hive Keys) that allow for aligned modifications.
Note that there is one more key than what is contained in the
Windows NT registry.
HKEY_CLASSES_ROOT
Figure 1-17: HKEY_CLASSES_ROOT under Windows '95
As with Windows NT, the entire HKEY_CLASSES_ROOT key structure
is nothing more than a duplicate version of all subkeys found
in HKEY_LOCAL_MACHINE\Software\Classes. Its primary purpose is
to provide backward compatibility with the Windows 3.1 registration
database. More importantly, it sets the logical root of the classes
subkeys. This also facilitates the capability of applications
integrating 16 and 32 bit Object Linking and Embedding with the
Component Object Model.
HKEY_LOCAL_MACHINE
Figure 1-18: HKEY_LOCAL_MACHINE under Windows '95
The information contained within this key is stored in the SYSTEM.DAT
file in the WINDOWS system directory. Two of its subkeys (Config\000x
and Software\Classes) are the sources for the HKEY_CLASSES_ROOT
and HKEY_CURRENT_CONFIG keys.
HKEY_USERS
Figure 1-19: HKEY_USERS under Windows '95
Like Windows NT, this Key contains at least two subkeys.
A default subkey displaying the default profile contents, and
the profile of the currently logged on user.
HKEY_CURRENT_CONFIG
Figure 1-20: HKEY_CURRENT_CONFIG under Windows '95
The information seen here is aliased to HKEY_LOCAL_MACHINE\Config\000x,
where 000x is the subkey for the current hardware configuration.
If there is only one configuration, then the information is actually
taken from HKEY_LOCAL_MACHINE\Config\0001. There would only be
more in the case of multiple hardware profiles. Laptops with port
replicators can use this for docked parameters and undocked parameters.
HKEY_CURRENT_USER
This information pertains to the currently logged
on user. This information is based upon the user's profile. This
governs the current working environment of the user. This information
is dynamic during the tenure of that user's session. Upon logout,
the contents are then saved to the user's profile (USER.DAT) This
key will alias the HKEY_USERS structure by either mapping to a
user's subtree, or the .DEFAULT subtree if it the first time the
user's profile has been established.
Figure 1-21: HKEY_CURRENT_USER under Windows '95
HKEY_DYN_DATA
The dynamic data key is created every time Windows 95 initializes. Windows NT does not have this key. The data in this key exists wholly in System RAM and is never written to secondary storage. This key is very volatile and is often updated.
This key contains a Configuration Manager that will define the current hardware configuration of the system. These are primarily hardware enumerator keys, which are for pointers to allow for Windows '95's plug and play connectivity.
This key also has sections that are dynamic links
to performance statistics that may be monitored on-screen through
the System Monitor applet. This is a very large area and very
dynamic.
MS-DOS Applications and Windows NT
Most DOS applications will execute in a window or
full screen like under Windows 3.1. Associating the Command Prompt
icon with the COMMAND.COM executable can create a real MS-DOS
icon.
Figure 1-22: COMMAND.COM under Windows NT.
Applications that will not execute are those that
directly access the hardware of an NT system.
Win16 Applications and Windows NT
All the major Windows 3.1 applications execute successfully using the Win16 subsystem. and NT uses it to execute applications moved over from Microsoft's Windows 3.1 system. Applications that should not execute are those that directly access the hardware of an NT system.
As popular applications are converted to Win32 (which will execute on both Windows NT and Windows) the importance of Win16 will lessen. Non-Intel (or Intel clone) processors use a Version of Insignia's SoftPC to execute Win16 applications.
Windows 3.1 used flat files primarily for configuration. Rather than using a hierarchical structure, OS Components and Applications used. Initialization files that are parsed for startup parameters and continuously done so frequently throughout the tenure of the process.
Windows 3.x and Win16 use two common initialization files called WIN.INI and SYSTEM.INI. There are also several other .INI files that are often application-specific. These files are in straight ASCII format that can be edited from any utility that can manipulate ASCII or text files. The file is divided into several sections divided with nested headings as given in the example below:
[windows] Beep=yes NullPort=None BorderWidth=3 CursorBlinkRate=530 DoubleClickSpeed=452 Programs=com exe bat pif Documents= KeyboardDelay=2 KeyboardSpeed=31 ScreenSaveActive=0 ScreenSaveTimeOut=120 NetWarn=0 device=Canon BJC-240,CANONBJ,LPT1: [Desktop] Pattern=170 85 170 85 170 85 170 85 TileWallPaper=0 GridGranularity=0 Wallpaper=(None) WallpaperStyle=0 [Extensions] crd=cardfile.exe ^.crd trm=terminal.exe ^.trm txt=notepad.exe ^.txt ini=notepad.exe ^.ini wri=write.exe ^.wri rec=recorder.exe ^.rec hlp=winhelp.exe ^.hlp mmf=msmail.exe /f ^.mmf
Figure 1-23: WIN.INI
The .INI files contain computer-specific user and
system parameters that help make Windows portable across machines.
This information deals with paths, locations to supporting files,
user-defined configuration, and overall hardware and software
configuration.
The two most common .INI files found in 16-bit Windows
are the WIN.INI and SYSTEM.INI files.
WIN.INI
In 16-bit Windows, the file contained much of the
data that the user might change directly (or indirectly via an
application) pertaining to items such as color schemes, desktop
parameters, port settings, and fonts. Windows NT still uses the
WIN.INI for some 16-bit application support. The Windows NT Registry
also builds certain WOW configuration entries in the Registry
based upon certain parameters found in the WIN.INI file. If certain
specific applications require parameters in the WIN.INI upon installation,
often these setup programs associated with these applications
will place these parameters properly in the WIN.INI file while
running under Windows NT.
Win32 stores this information in two primary locations.
Per-Computer Software settings are found in:
HKEY_LOCAL_MACHINE\Software\
Per User Information is found in:
HKEY_CURRENT_USER
SYSTEM.INI
[keyboard] subtype= type=4 keyboard.dll= oemansi.bin= [boot.description] keyboard.typ=Standard 101/102-Key or Microsoft Natural Keyboard mouse.drv=Standard mouse language.dll=English (American) system.drv=Standard PC codepage=437 woafont.fon=English (437) aspect=100,96,96 display.drv=Cirrus Logic secondnet.drv=No Additional Network Installed [386Enh] DEVICE=VSHARE.386 device=*vpd mouse=*vmouse, msmouse.vxd ebios=*ebios woafont=dosapp.fon display=*vdd,*vflatd netheapSIZE=30 device=*vcd
Figure 1-24: SYSTEM.INI
This file contains system-specific information that
Windows uses for primarily driver and hardware configuration.
It also contains information that Win16 requires in order to totally
boot successfully. Certain sections are very critical and important,
especially the [boot] and [386Enh] sections. Pointers to Drivers
(.DRV and .VXD's) are located throughout the file.
Windows NT uses this file much more minimally than
the WIN.INI file. Windows NT uses a thunk layer of code to pass
many of these parameters to and from the Win32 Subsystem. Therefore
native Windows NT Drivers are used for these 16-bit applications.
Most device drivers, especially CD-ROM drives, Mice, Backup devices,
and especially printer drivers are passed through this Win16 on
Win32 (WOW) layer.
Do not try to install applications that use Virtual
Device Drivers, or any 16-bit device drivers (with the exception
of some FAX drivers). The reason for this is that they will write
information to the SYSTEM.INI file, which will cause them to be
initialized by the application and/or subsystem. They will not
be able to initialize properly because they will have to have
direct access to hardware and this will not be allowed in Windows
NT.
The majority of this information for Win32 is found
in the following registry path:
HKEY_LOCAL_MACHINE\SYSTEM\CURRENT CONTROL SET
The Windows 3.1 Registration Database
Windows 3.1 stored certain information in a manner
beyond a flat text file. With the introduction of extension libraries
like OLE (Object, Linking, and Embedding), Windows brought a Registration
Database. This file (REG.DAT) contained information that governed
how certain applications would open and how it would manage and
print files. It also gave information on file and object associations.
Windows 3.1 REGEDIT.EXE
This was the Registration Database Editor that ran
in two modes. In its regular mode, this utility displayed the
documents and applications that were registered internally in
Windows 3.x. However, when ran in its verbose mode, this utility
would display shell branches beyond each registered entity. This
allowed the user to discretely view and/or control how document
objects were associated by how they would be opened and printed.
This allowed you to simply double-click on a .DOC file in the
File Manager and pull up the Document in Microsoft Word. It would
serve as the vital link that allowed a user to highlight a .WK1
file in the File Manager and have Lotus 1-2-3 automatically print
the spreadsheet.
The commonality between Win16 and Win32 in configuration
involves the memory-mapped coordinates of this database. Both
Win16 and Win32 can reference this as HKEY_CLASSES_ROOT. While
this is direct for Win16, this is merely in place as an alias
in Win32 (Windows NT) It aliases to HKEY_LOCAL_MACHINE\Software\Classes.
This alias insures backward compatibility for 16-bit associations
and OLE registration.
REGEDT32 is not be confused with Windows 3.x REGEDIT
The REGEDIT Program found in the System Root directory
of Windows NT 3.5x systems (usually \WINNT35) is the similar one
from Windows 3.x.'s Registration Info Editor. It is a tool for
adding, modifying, or updating application-integration information
in the registration database. In Windows 3.x, the registration
database is a source of information about applications. This information
is used when you open or print a file from File Manager, and by
applications that support object linking and embedding. The REGEDIT
program under Windows NT allows you to edit 16-bit OLE registration
information. 32-bit OLE registration is contained in the Registry's
HKEY_CLASSES_ROOT subtree.
OS/2 Applications and Windows NT
The OS/2.subsystem supports character-based applications through Version 1.3 that can run independent of the Presentation Manager API.
(Other possible subsystems that could be made available
in the future are PICK and perhaps VMS but this is speculative.)
Windows NT and POSIX Compliance
POSIX stands for Portable Operating System Interface
for Computing Environments. A set of standards drafted by the
Institute of Electrical and Electronic Engineers (IEEE) (1003.1)
that define various aspects of an operating system, including
topics such as programming interface, security, networking, and
graphical interface. Many UNIX Environments such as LINUX are
POSIX-Compliant as well. Code is source compatible across all
POSIX-compliant environments if the code itself is POSIX compliant.
#ifdef DF_POSIX /* DF_MSS */ #include <misc.h> #include <bsdlib.h> #endif #ifndef lint char copyright[] = "@(#) Copyright (c) 1989 The Regents of the University of California.\n\ All rights reserved.\n"; #endif /* not lint */ #ifndef lint static char sccsid[] = "@(#)ls.c?5.48 (Berkeley) 4/3/91"; #endif /* not lint */ #ifdef DF_POSIX /* DF_DSC */ #include <sys/cdefs.h>
Figure 1-26: Example of LS.EXE, a POSIX application
under NT.
Registry Construction
The Boot Sequence
Windows NT boots in a number of stages. Some stages
are specific to Windows NT and some are common to Intel and ARC
based systems, such as the POST (Power-On-Self Test) routine.
The Intel Boot Process
When an Intel based machine is powered on, the CPU is set to run in real memory. This is the beginning of the Power on Self Test (POST) routine. The POST routine is responsible for determining the amount of memory, if required hardware components are present, such as a keyboard, and allowing adapter cards to initialize. The developer of the system's ROM, and the manufacturers of any installed adapter cards determine the information that appears on the screen at this point. Once the system has executed its POST routine, any installed adapter cards are permitted to run their POST routines.
At the end of the POST routine process, the CPU is instructed to process any commands that are at the reboot computer interrupt. This routine attempts to locate the boot device, by first checking drive A: and if no disk is found in drive A: the hard disk C: is checked. The first sector of the hard disk contains the Master Boot Record (MBR), which is loaded into memory. This contains a program that is executed. This program scans the partition table (the remaining portion of the MBR) to locate the "active partition" in the partition table.
Next, the "boot record" for the active
partition is loaded into memory. The boot record starts at the
first logical sector in the active partition. The program located
in the boot record loads the first layer of the program necessary
to start the operating system. When Windows NT is installed, the
boot record is changed to support the loading of NTLDR. The former
boot record (if DOS or OS/2 was on the system is saved as BOOTSECT.DOS.
NTLDR is used to control the Boot Loader Operating
System selection process and requires NTDETECT.COM, BOOT.INI,
and BOOTSECT.DOS to be in the root directory of the boot drive.
In addition, if the drive the system is booting from is a SCSI
drive, the file NTBOOTDD.SYS must also be in the root directory.
NTBOOTDD.SYS is created during Setup (if the boot drive is a SCSI
device), by making a copy of the appropriate SCSI driver in the
root directory, and renaming the driver NTBOOTDD.SYS.
Once NTLDR is started, it proceeds through the following steps:
Construction of the Registry
The registry subtree is divided into parts called
hives (after their resemblance to the cellular structure
of a beehive). A hive is a discrete body of keys, subkeys, and
values that is rooted at the top of the registry hierarchy. A
hive is backed by a single file and a .log file which are in the
WINNT\system32\config or the WINNT\profiles\username
folders. By default, most hive files (Default, Sam, Security,
Software, and System) are stored in the WINNT\%\system32\config
folder. The NTUSER.DAT and NTUSER.DAT.LOG files are stored in
the WINNT\profiles\username folder. The WINNT\profiles
folder contains the user profile for each user of the computer.
HKEY_LOCAL_MACHINE\SAM | Sam and Sam.log |
HKEY_LOCAL_MACHINE\SECURITY | Security and Security.log |
HKEY_LOCAL_MACHINE\SOFTWARE | Software and Software.log |
HKEY_LOCAL_MACHINE\SYSTEM | System and System.log |
HKEY_CURRENT_USER | Ntuser.dat and Ntuser.dat.log |
HKEY_USERS\.DEFAULT | Default and Default.log |
Table 1-6: Registry Keys and their sources.
Registry Size Limits
The total amount of space that can be consumed by Registry data (hives) is restricted by the registry size limit, which is a kind of universal maximum for registry space that prevents an application from filling the paged pool with registry data. Registry size affects both the amount of paged pool the registry can use and the amount of disk space used by the registry.
To view or set the value for RegistrySizeLimit, first
create the key using the following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\RegistrySizeLimit
The registry size can also be viewed and set using
the System option in Control Panel. See the Virtual Memory box
in the Performance tab. The registry size should be changed only
if the computer is either a primary or backup domain controller
for a large network because all user accounts are stored in the
registry. RegistrySizeLimit must have a type of REG_DWORD and
a data length of 4 bytes, or it will be ignored. By default, the
registry size limit is 25 percent of the size of the paged pool..
Setting a large value for RegistrySizeLimit does not cause the
system to use that much space unless it is actually needed by
the registry. A large value also does not guarantee that the maximum
space will actually be available for use by the registry.
The BOOT.INI file
The file boot.ini contains the commands used in the menu that appears when a multiple boot is performed. The syntax used uses labels much like the alternate system boot capability of MS-DOS 6.0 and 6.2 and 6.22. Strings within square brackets are labels that each have a meaning for NTLDR.
In the following example, [boot loader] denotes the
section used to specify the time-out period in seconds, and the
default directory specification for the default system to boot:
[boot loader] timeout=30 default=multi(0)disk(0)rdisk(2)partition(2)\WINNT35 [operating systems] multi(0)disk(0)rdisk(2)partition(2)\WINNT40="Windows NT Server Version 4.0" multi(0)disk(0)rdisk(2)partition(2)\WINNT40="Windows NT Server Version 4.0 [VGA mode]" /basevideo c:\="Windows '95"
Figure 1-27: BOOT.INI
Directory specification are in the ARC syntax, a generic device designation used by RISC systems.
The ARC syntax is as follows, where <component>
specifies the hardware adapter for the device:
scsi or multi(x)disk(y)risk(z)partition(a)
scsi
The scsi option represents the ordinal number of the adapter with the first device 0. SCSI controllers that do not have their BIOS enabled are indicated as scsi.
multi
The multi option represents the ordinal number of the adapter with the first device 0. All other disk controllers including those scsi controllers that do have their BIOS enabled.
disk
The disk option is used only when using a SCSI disk the SCSI bus number for multiple-bus SCSI Adapters times 32 plus the SCSI ID of the disk. For multi y is always 0.
rdisk
the rdisk option is used when using a SCSI drive z is the logical unit number of the device For a non-SCSI device y is the ordinal number of the disk on the adapter.
partition
Partition is the ordinal partition number for the partition. MS-DOS extended
Partitions (type 5) and unused partitions (type 0)
aren't numbered.
BOOT.INI Switches
The BOOT.INI file can contain switches that affect
hoe Windows NT will be booted. In many of my training classes
people ask me whether or not Windows NT has a facility to manage
multiple startup configurations similar to DOS or Windows '95.
We discussed earlier the HKEY_CURRENT_CONFIG key and how it is
used to manage multiple hardware profiles. In addition to the
use of hardware profiles, text-based start-up parameters can be
placed after additional entries in the BOOT.INI file.
Here are most of the BOOT.INI switches:
/NOSERIALMICE= [COMx | COMx,y,z...]: Disables Serial Mouse Detection on the specified COM port. If no COM port is specified, then detection is disabled on all ports. This is excellent when trying to troubleshoot potential IRQ conflicts.
/BASEVIDEO: This causes the system to bypass whatever video driver is configured and use the standard VGA display driver (VGA.SYS and VGA.DLL) in the standard 16-color 640x480 resolution mode.
/DEBUG : enables debugging and sends the debug output to the last COM port known to the system.
/DEBUGPORT=COMx: sends debug output to the designated port.
/BAUDRATE=nnnnn: specifies the baud rate for the COM port using a modem with default of 19200 (can use null modem cable).
/CRASHDEBUG: This enables Windows NT's automatic recovery and restart capability. This can also be enabled within the System icon in the Control Panel.
/SOS: This switch is used the display the names of the drivers as they are being loaded. Without this switch, the normal progression dots display.
/NODEBUG: This switch specifies that there is no debugging information being monitored. This is only useful for developers and has a tendency to slow down system performance.
/MAXMEM:n: Specifies the maximum amount of memory Windows NT will use. Does not work on certain configurations.
/SCSIORDINAL:n: This switch
is used only if the system has two identical controllers. This
allows for distinguished controllers
NTDETECT.COM
If Windows NT is selected, NTLDR then executes NTDETECT.COM. NTDETECT.COM collects information on the hardware components installed in the machine. It then builds a list of these components and returns this information to NTLDR.
Currently, the following information can be detected
by NTDETECT.COM:
Table 1-7: Information Gathered by NTDETECT.COM
Information | Example Registry Entry |
Machine ID | AT/AT Compatible |
Bus/Adapter Type | ISA |
Video | Video7 VGA |
Keyboard | PCAT_ENHANCED |
Communication Port | COM1 |
Parallel Port | PARALLEL1 |
Floppy | Floppy1/Floppy2 |
Mouse | Microsoft Serial Mouse |
After NTDETECT.COM has given NTLDR the list of installed hardware, the Windows NT boot process continues in its load phases.
The ARC Based Boot Process
On ARC based systems, the resident ROM firmware will select a boot device by reading a boot precedence table from non-volatile RAM. In the case where the non-volatile RAM is not valid or blank, the firmware will either query the user for the boot device or default to a: floppy, hard disk sequence. For a hard disk boot, the firmware will read the first physical sector of the boot drive (the Master Boot Record (MBR)) and determine if a bootable partition is present. If there is a bootable partition present, the first sector of the partition will be read into memory and the BIOS Parameter Block (BPB) examined to determine whether or not the volume's file system is one that the firmware supports. If the file system is supported by the firmware, the root directory of the volume will be searched for OSLOADER.EXE, and if found will be loaded and control passed to it.
The Boot Loader menu and functionality that is implemented by NTLDR on x86 based systems is not needed on ARC (Advanced RISC Computer) based systems. This is because ARC based systems have the NTLDR functionality built into the system firmware. Therefore, there is no need for NTLDR, the initial stages of the Windows NT load are handled by OSLOADER.EXE.
In addition, there is also no need for NTDETECT.COM
on ARC based systems. The ARC POST routine collects the hardware
information and OSLOADER.EXE gets the necessary information from
the POST routine.
The Windows NT System Load Phases
The following stages will occur on all platforms
once the Windows NT Kernel has been located.
Kernel Load
During this stage, the Windows NT kernel (NTOSKRNL.EXE) and the Hardware Abstraction Layer (HAL) are loaded into memory, but not initialized. Next a copy of the system hive, HKEY_LOCAL_MACHINE\SYSTEM, from the Registry is loaded into memory. When the system hive is loaded, this gives the user the option to select a hardware profile or to boot the LastKnownGood Configuration. Otherwise, at this time, the Registry is scanned for drivers with a start value of 0 (boot), which indicate they should be loaded but not initialized before the kernel, and a service type value of 0x1, which indicates it is a kernel device driver. Drivers with these values are typically low-level hardware device drivers, such as hard disk device drivers.
These drivers are not loaded into memory in the order
found, instead their group value is first examined to sort the
list. The sorting is based on the position of the Group Value
in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder Value: List
Kernel Initialization
The screen turning blue signifies this stage of the boot process. This is when NTOSKRNL.EXE is initialized and control is passed to it. Subsequently, all of the drivers that were loaded during the Kernel Load stage are initialized. If an error is encountered, action will be taken based on the drivers ErrorControl Value. Once again, the Registry information is scanned, this time for drivers that have a 0x1 start (System) value. Similar to the Kernel Load phase, the list is sorted according to order and the drivers are then loaded. In addition, these drivers are initialized as soon as they are loaded.
During this stage, the Registry Hardware list is
created using the information that was passed from NTLDR or OSLOADER.EXE,
depending on the type of system. Creating a link to ControlSet00x,
where x is 1, creates the CurrentControlSet or 2 as determined
by checking the value of Default under:
\HKEY_LOCAL_MACHINE\SYSTEM\Select
In addition, making a copy of the CurrentControlSet creates the Clone ControlSet and both CurrentControlSet and Clone are initialized, but not saved yet.
Services Load
This stage is when Session Manager (SMSS.EXE) is
started. The first thing Session Manager does after starting is
it reads and executes the list of programs under the BootExecute
program in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\BootExecute
The default entry is:
autocheck autochk *.
AUTOCHK.EXE is the version of CHKDSK that automatically
performs a check on each partition. If this entry is changed to
read:
autocheck autochk /p *,
the /p will force the equivalent of a CHKDSK /F on each partition on every subsequent restart of the system. Since the BootExecute value is a REG_MULTI_SZ, BootExecute can have more than one entry under it. Therefore, you could add a second line such as: autocheck autochk /p \DosDevices\c:, to have AUTOCHK.EXE perform the equivalent of CHKDSK /F on drive c: for each restart of the system. If a drive has been set to be converted to NTFS on the next system boot, the following entry will be added to ...\SessionManager\BootExecute: autocheck autoconv \DosDevices\x: /FS:ntfs.
Once the check disk information starts displaying on the blue screen, it is a clear indication that Session Manager has started. Of course, if this information does not appear it is possible that the autocheck line was removed from the BootExecute Registry entry.
After all of the checks have been successfully performed
on the system's hard drives, Session Manager will set up the Pagefiles
defined under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
Next, since the partitions are now checked and the
paging files are setup the CurrentControlSet
and the Clone ControlSet are written to the Registry. The next
items to occur are the creation of symbolic links. These links
are used to direct certain classes of commands to the correct
component in the file system. These entries are located in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\DOS Device Drivers
Finally, the entries in Required under:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems
are loaded.
As can be seen, by default the only required entry
is the Win32 subsystem (CSRSS.EXE). This subsystem is required,
because all access to the video screen goes through the Win32
subsystem, therefore it must always be loaded.
Win32 Subsystem Start
When the Win32 subsystem is started, it automatically
starts WINLOGON.EXE, which starts its System entries under:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\Current Version\Winlogon
By default WINLOGON.EXE will start the Local Security
Authority subsystem (LSASS.EXE) and the print spooler (SPOOLSS.EXE).
Next, the welcome screen is presented with the CTRL+ALT+DEL logon
message and then the Service Controller (SCREG.EXE) is executed.
Once the Service Controller has started, it makes
a final pass through the Registry looking for items with a start
value of 0x2 (Automatic). However, at this point the loading sequence
is determined differently from that of the device drivers that
were loaded earlier in the process. All services with a 0x2-start
value have certain dependencies, DependOnGroup and/or DependOnService
entries that determine their load order. This is necessary because
these services are loaded in parallel for better performance,
where as the device drivers were loaded serially so their Group
order was sufficient. Each service must have its dependencies
started before it will be able to start.
Migrating .INI information to the Registry
If you install Windows NT as an upgrade over Windows
3.1, all the settings from various initialization files are copied
into the Registry, including CONTROL.INI, PROGMAN.INI, SYSTEM.INI,
WIN.INI, WINFILE.INI, and others. You can see where the Windows
initialization files are mapped in the Registry by viewing the
subkeys and value entries under this path:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping
When you install an application created for 16-bit
Microsoft Windows, the application's setup program creates its
own .INI file or creates entries for the WIN.INI or SYSTEM.INI
file. This is the same way that is done for any versions of 16-bit
Windows 3.x. These entries are not updated in the Registry, because
these applications do not know how to access the Windows NT Registry.
For this reason, basic SYSTEM.INI, WIN.INI, and WINFILE.INI files
appear in the root directory in Windows NT.
To find mapping information in the HKEY_LOCAL_MACHINE\Software
key, the system looks up the FILENAME.EXT of the initialization
file. If a match is found, it looks under the mapped key for the
specific application name and a variable name, and if necessary
it continues to look for keys whose value entries are the variable
names. If no mapping for either the application name or filename
is found, the system looks for an .INI file to read and write
its contents.
Table 1-7: Symbols within entries in the IniFileMapping
key.
! | Forces all writes to got to both the Registry and to the .INI file on disk. |
# | Causes the Registry value to be set to the value in the Windows 3.1 .INI file whenever a new user logs in for the first time after Setup, if Windows NT was installed on a computer that had Windows 3.1 already installed. |
@ | Prevents any reads from going to the .INI file on disk if the requested data is not found in the Registry. |
USR | Stands for HKEY_CURRENT_USER, and the text after the prefix is relative to that key. |
SYS | Stands for HKEY_LOCAL_MACHINE\SOFTWARE, and the text after the prefix is relative to that key. |
![]() ![]() |
![]() ![]() |
![]() ![]() |
COMPUTING MCGRAW-HILL | Beta Books | Contact Us | Order Information | Online Catalog
Computing McGraw-Hill is an imprint of the McGraw-Hill Professional Book Group.