How to Diagnose the Windows XP Boot Process

Make the boot files viewable. Start by opening Windows Explorer. Choose "Tools--Folder Options." Select the View tab, and scroll until you find the "Hidden Files And Folders" option. Select "Show Hidden Files And Folders." Deselect "Hide Protected Operating System Files." Un-check "Hide File Extensions For JKnown File Types." Click "OK." You'll now be able to see the Windows system files we'll be discussing.

Find the MBR (master boot record). The MBR is located on the first hard drive and is loaded into memory. The MBR finds the bootable partition and searches it for the boot sector of that partition.

Find the NTLDR file. NTLDR switches the system from real mode to protected mode and enables paging. Protected mode enables the system to address all of the available physical memory. It’s also referred to as 32-bit flat mode. At this point, the file system is also started.

Find NTDETECT. Understand that NTLDR loads and runs NTDETECT.COM. NTDETECT.COM checks the system for installed devices and device configurations and initializes the devices it finds. It passes the information to NTLDR, which collects this information and passes it to NTOSKRNL.EXE after that file is loaded.

Search for and examine NTOSKRNL.EXE. NTLDR loads NTOSKRNL.EXE and HAL.DLL. NTOSKRNL.EXE holds the OS kernel, and what’s known as the executive subsystems. Executive subsystems are software components that parse registry control set configuration information and start services and drivers. HAL.DLL enables communication between the OS and the installed hardware. NTLDR loads the HKEY_LOCAL_MACHINE\SYSTEM registry hive and loads device drivers. The drivers that load at this time serve as boot drivers, using an initial value called a start value. NTLDR transfers control to NTOSKRNL.EXE. NTOSKRNL.EXE initializes loaded drivers and completes the boot process. WINLOGON loads. At this point, you are presented with the Logon screen. After you enter a username and password, you’re taken to the Windows Desktop.