Читаем Windows® Internals, Sixth Edition, Part 2 полностью

Phase1InitializationDiscard, which, as the name implies, discards the code that is part of the INIT section of the kernel image in order to preserve memory.

The initialization thread sets its priority to 31, the highest possible, in order to prevent preemption.

The NUMA/group topology relationships are created, in which the system tries to come up with the most optimized mapping between logical processors and processor groups, taking into account NUMA localities and distances, unless overridden by the relevant BCD settings.

HalInitSystem prepares the system to accept interrupts from devices and to enable interrupts.

The boot video driver is called, which in turn displays the Windows startup screen, which by default consists of a black screen and a progress bar. If the quietboot boot option was used, this step will not occur.

The kernel builds various strings and version information, which are displayed on the boot screen through Bootvid if the sos boot option was enabled. This includes the full version information, number of processors supported, and amount of memory supported.

The power manager’s initialization is called.

The system time is initialized (by calling HalQueryRealTimeClock) and then stored as the time the system booted.

On a multiprocessor system, the remaining processors are initialized by KeStartAllProcessors and HalAllProcessorsStarted. The number of processors that will be initialized and supported depends on a combination of the actual physical count, the licensing information for the installed SKU of Windows, boot options such as numproc and onecpu, and whether dynamic partitioning is enabled (server systems only). After all the available processors have initialized, the affinity of the system process is updated to include all processors.

The object manager creates the namespace root directory (\), \ObjectTypes directory, and the DOS device name mapping directory (\Global??). It then creates the \DosDevices symbolic link that points at the Windows subsystem device name mapping directory.

The executive is called to create the executive object types, including semaphore, mutex, event, and timer.

The I/O manager is called to create the I/O manager object types, including device, driver, controller, adapter, and file objects.

The kernel debugger library finalizes initialization of debugging settings and parameters if the debugger has not been triggered prior to this point.

The transaction manager also creates its object types, such as the enlistment, resource manager, and transaction manager types.

The kernel initializes scheduler (dispatcher) data structures and the system service dispatch table.

The user-mode debugging library (Dbgk) data structures are initialized.

If Driver Verifier is enabled and, depending on verification options, pool verification is enabled, object handle tracing is started for the system process.

The security reference monitor creates the \Security directory in the object manager namespace and initializes auditing data structures if auditing is enabled.

The \SystemRoot symbolic link is created.

The memory manager is called to create the \Device\PhysicalMemory section object and the memory manager’s system worker threads (which are explained in Chapter 10).

NLS tables are mapped into system space so that they can be easily mapped by user-mode processes.

Ntdll.dll is mapped into the system address space.

The cache manager initializes the file system cache data structures and creates its worker threads.

The configuration manager creates the \Registry key object in the object manager namespace and opens the in-memory SYSTEM hive as a proper hive file. It then copies the initial hardware tree data passed by Winload into the volatile HARDWARE hive.

The high-resolution boot graphics library initializes, unless it has been disabled through the BCD or the system is booting headless.

The errata manager initializes and scans the registry for errata information, as well as the INF (driver installation file, described in Chapter 8) database containing errata for various drivers.

Superfetch and the prefetcher are initialized.

The Store Manager is initialized.

The current time zone information is initialized.

Global file system driver data structures are initialized.

Phase 1 of debugger-transport-specific information is performed by calling the KdDebuggerInitialize1 routine in the registered transport, such as Kdcom.dll.

The Plug and Play manager calls the Plug and Play BIOS.

The advanced local procedure call (ALPC) subsystem initializes the ALPC port type and ALPC waitable port type objects. The older LPC objects are set as aliases.

If the system was booted with boot logging (with the BCD bootlog option), the boot log file is initialized. If the system was booted in safe mode, a string is displayed on the boot screen with the current safe mode boot type.