NTLDR: Difference between revisions

NTLDR (abbreviation of NT Loader) is the boot loader for all releases of Microsoft's Windows NT operating system up to and including Windows XP and Windows Server 2003. NTLDR is typically run from the primary hard disk drive, but it can also run from portable storage devices such as a CD-ROM, USB flash drive, or floppy disk. NTLDR can also load a non NT-based operating system given the appropriate boot sector in a file.

NTLDR requires, at the minimum, the following two files to be on the system volume:

• NTLDR, which contains the main Boot loader itself
• boot.ini, which contains configuration options for a boot menu.

To load an NT-based OS, ntdetect.com must also be present. (Strictly speaking, only NTLDR is actually required. If boot.ini is missing, NTLDR will default to \Windows on the first partition of the first hard drive. Many desktops in the home are in this configuration and a missing boot.ini file will simply generate an error stating it is missing, then boot into Windows successfully.) In Vista, Boot information is stored in a Registry-like file called the Boot Configuration Data (BCD) store. Vista comes with a command-line tool bcdedit.exe for configuring BCD.

The Volume Boot Record written to disk by the Windows NT format command attempts to load and to run the NTLDR program.

In Windows Vista, Windows Server 2008 and newer versions, NTLDR was replaced; the boot loader functionality is instead provided by two new components: winload.exe and the Windows Boot Manager.

Startup process

When booting, the loader proper portion of NTLDR does the following in order:

1. Accesses the file system on the boot drive (either FAT or NT File System, NTFS).
2. If hiberfil.sys is found, and it finds a hibernation image, its contents are loaded into memory and the system resumes where it left off.
3. Otherwise, reads boot.ini and prompts the user with the boot menu accordingly.
4. If a non NT-based OS is selected, then NTLDR loads the associated file listed in boot.ini (bootsect.dos if no file is specified or if the user is booting into a DOS based OS) and gives it control.
5. If an NT-based OS is selected, then NTLDR runs ntdetect.com, which gathers information about the computer's hardware. (If ntdetect hangs during hardware detection there is a debug version called ntdetect.chk which can be found on Microsoft support.^[1])
6. Starts Ntoskrnl.exe, passing to it the information returned by ntdetect.com.^[2]

boot.ini

NTLDR allows the user to choose which operating system to boot from at the menu; for NT and NT-based operating systems, it also allows the user to pass preconfigured options to the kernel. The menu options are stored in boot.ini, which itself is located in the root of the same disk as NTLDR.

For NT-based OSs, the location of the operating system is written as an Advanced RISC Computing (ARC) path.

boot.ini is protected from user configuration by having the following file attributes: system, hidden, read-only. To make it editable, you must first unlock it with the following command under a console attrib -s -h -r boot.ini. A more secure fashion to edit the file is to use the bootcfg command from a console. bootcfg will also relock the file (setting the file back to system, hidden and read-only). Additionally, the file can be edited within Windows using a text editor if the folder view option "Show hidden files and folders" is selected and the folder view option "Hide protected operating system files" is unchecked and the "Read-only" option is unchecked under file properties.

bootsect.dos is the boot sector loaded by NTLDR to load DOS. If there is no file specified, NTLDR loads bootsect.dos

Example

An example of a boot.Ini file:

[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect

If the boot loader timeout option in boot.ini is set to 0, the NTLDR boot menu does not appear. Extreme caution should be taken when modifying the boot loader, as erroneous information can result in an OS that fails to boot.

NT Kernel switches

File:NTLDR Menu.png

NTLDR Bootloader's Advanced Option Menu

• /3GB — Forces x86-based systems to increase the virtual address space allocated for user programs to 3 GB, and to decrease to 1 GB allocated to the kernel and to executive components. Used for some programs that require more than the standard 2 GB allocated to user programs and 2 GB allocated to the system. Some configurations of Windows Server 2003 that run virtual memory- intensive applications such as database servers or Microsoft Exchange Server 2003 may require this switch^[3] or may benefit from improved performance^[4].
• /BASEVIDEO — Forces the system into standard 640x480 16-color VGA mode by using a video device driver that is compatible with any video adapter. If the operating system fails to load due to a faulty or incorrectly-configured video driver, this switch allows the system to load, so the user may then remove, update, or roll back the problem video driver. Using this switch in conjunction with the /SOS switch helps to determine the driver that is triggering a failure.^[3]
• /BAUDRATE=nnn — Sets the baud rate of the debug port that is used for kernel debugging. Use of this switch automatically enables the /DEBUG switch.^[3] Specifies an override for the default baud rate (19200) at which a remote kernel debugger host will connect.^[4] Example: /BAUDRATE=115200.
• /BOOTLOG — Turns on boot logging to a file named %SystemRoot%\Ntbtlog.txt.^[3]
• /BOOTLOGO — Displays an alternate 640x480 16-color custom bitmap. The bitmap must be saved in the \Windows directory with the name boot.bmp. Use with the /NOGUIBOOT switch.^[4]
• /BURNMEMORY=nnn — Specifies the amount of memory, in megabytes, that Windows cannot use. Use this parameter to confirm a performance problem or other problems that are related to RAM depletion.^[3]
• /CHANNEL=nn — Use with the /DEBUG switch and the /DEBUGPORT=1394 switch to selects the IEEE 1394 interface channel (numbered 0 to 62) through which kernel debugging communications will flow.^[3]
• /CRASHDEBUG — Loads the kernel debugger at OS startup, but it remains inactive until a Stop Error occurs. With this switch, the COM port can be used for normal operations while Windows is running. If Windows crashes, the switch converts the port to a debug port. (This action turns on remote debugging.)^[3]
• /DEBUG — Turns on the kernel debugger when Windows starts. Unlike the /CRASHDEBUG switch, /DEBUG uses the COM port whether you use debugging or not.^[3]
• /DEBUGPORT=comx — Specifies the COM port to use for the debug port. By default, /DEBUGPORT uses COM2 if it exists. Otherwise, the default is COM1. Use of this switch automatically enables the /DEBUG switch.^[3]

• /FASTDETECT[:comx[,comy]] — Turns off serial and bus mouse detection for the specified port(s), or for all ports if none are specified. Use this switch when there is a component other than a mouse attached to a serial port during the startup process. Ports may be separated with commas to turn off more than one port. (Note: In earlier versions of Windows, including Windows NT 4.0, this switch was named /NOSERIALMICE.)^[3]
• /HAL=filename — Defines the Hardware Abstraction Layer that is loaded at startup. This switch is useful to try out a different HAL before you rename the file to HAL.DLL. This switch is also useful when you want to try to switch between starting in multiprocessor mode and starting in single processor mode. To do this, use this switch with the /KERNEL switch.^[3]
• /KERNEL=filename — Defines the kernel that is loaded at startup. With this switch, you can switch between a debug-enabled kernel that is full of debugging code and a regular kernel.^[3]
• /MAXMEM=nnn — Specifies the maximum amount of RAM, in megabytes, that Windows can use.^[3] However, the /MAXMEM switch does not account for memory holes. Therefore, it is recommended to use the /BURNMEMORY switch instead.^[5]
• /MININT — This option is used by Windows Preinstallation Environment (WinPE) and loads the Registry SYSTEM hive as a volatile hive such that changes made to it in memory are not saved back to the hive image.^[4]
• /NODEBUG — Turns off debugging. This scenario can cause a Stop Error if a program has a debug hardcoded breakpoint in its software.^[3]
• /NOEXECUTE={OPTIN|OPTOUT|ALWAYSON|ALWAYSOFF} — This option is only available on 32-bit versions of Windows when running on processors supporting Data Execution Prevention (DEP). It enables DEP, which results in the memory manager marking pages containing data as no-execute so that they cannot be executed as code. This can be useful for preventing malicious code from exploiting buffer overflow bugs with unexpected program input in order to execute arbitrary code. No-execute protection is always enabled on 64-bit versions of Windows on processors that support no-execute protection. There are several options you can specify with this switch:^[4]
  • /NOEXECUTE=OPTIN — Enables DEP for core system images and those specified in the DEP configuration dialog.
  • /NOEXECUTE=OPTOUT — Enables DEP for all images except those specified in the DEP configuration dialog.
  • /NOEXECUTE=ALWAYSON — Enables DEP on all images.
  • /NOEXECUTE=ALWAYSOFF — Disables DEP.
• /NOGUIBOOT — Disables the bitmap that displays the progress bar for Windows startup.^[3] This also disables the text output by chkdsk.^{[citation needed]}
• /NOPAE — Forces Ntldr to load the non-Physical Address Extension (PAE) version of the Windows kernel, even if the system is detected as supporting x86 PAEs and has more than 4 GB of physical memory.^[4]
• /NOSERIALMICE[=comx] — (Obsolete on all versions post-Windows NT 4.0) Replaced by the absence of the /FASTDETECT switch. Disables serial mouse detection on the specified COM ports. Using /NOSERIALMICE without specifying a COM port disables serial mouse detection on all COM ports.^[4]
• /NUMPROC=nnn — Sets the number of processors that Windows will run at startup. With this switch, you can force a multiprocessor system to use only the quantity of processors (number) that you specify. Useful for troubleshooting performance problems and defective CPUs.^[3]
• /ONECPU — Equivalent to using /NUMPROC=1. Causes Windows to use only one CPU on a multiprocessor system.^[4]
• /PAE — Enables Physical Address Extension support. In Safe Mode, the computer starts by using normal kernels, even if the /PAE switch is specified.^[3]
• /PCILOCK — For x86-based systems, this stops the operating system from dynamically assigning hardware input, hardware output, and interrupt request resources to PCI devices. Instead, the BIOS configures the devices.^[3]
• /REDIRECT — Turns on Emergency Management Services (EMS) on a Windows Server 2003, Enterprise Edition-based computer. To turn on EMS by editing the Boot.ini on an x86-based computer, edit both the [boot loader] section and the [operating systems] section of the Boot.ini file.^[3]
• /SAFEBOOT:{MINIMAL|NETWORK|DSREPAIR}[(ALTERNATESHELL)] — Causes Windows to start in Safe Mode. You must include the colon plus one of the three types listed above. An additional option you can append is (ALTERNATESHELL), which tells Windows to use the program specified by the HKLM\SYSTEM\CurrentControlSet\SafeBoot\AlternateShell value as the graphical shell rather than to use the default, which is Windows Explorer.^[4] You can also combine other boot.ini parameters with /SAFEBOOT:type. The following examples illustrate the parameters that are in effect when you select a Safe Mode option from the startup recovery menu. (Note: The /SOS, /BOOTLOG, and /NOGUIBOOT switches are not required with any one of these settings, but the switches can help with troubleshooting.) ^[3]
  • Safe Mode (/SAFEBOOT:MINIMAL /SOS /BOOTLOG /NOGUIBOOT) — Default: Uses a minimal set of device drivers and services to start Windows.^[6]
  • Safe Mode with Networking (/SAFEBOOT:NETWORK /SOS /BOOTLOG /NOGUIBOOT) — Default mode together with the drivers necessary to load networking.^[6]
  • Safe Mode with Command Prompt (/SAFEBOOT:MINIMAL(ALTERNATESHELL) /SOS /BOOTLOG /NOGUIBOOT) — Default mode, except that Cmd.exe starts instead of Windows Explorer.^[6]
  • Windows in Directory Services Restore Mode (/SAFEBOOT:DSREPAIR /SOS) — (This mode is valid only for Windows-based domain controllers.) Performs a directory service repair.^[6]
• /SOS — Displays the device driver names while they are being loaded. Use with the /BASEVIDEO switch to determine the driver that is triggering a failure.^[3]
• /USEPMTIMER — Specifies that Windows uses the Power Management Timer (PM_TIMER) timer settings instead of the Time Stamp Counter (TSC) timer settings if the processor supports the PM_TIMER settings.^[3] By default, Windows Server 2003 Service Pack 2 (SP2) uses the PM timer for all multiprocessor APIC or ACPI HALs. If you are not running Windows Server 2003 SP2, you must force the computer to use the PM timer by using the /USEPMTIMER switch.^[7]
• /USERVA=nnn — Customizes the amount of memory, in megabytes, that is allocated to processes when using the /3GB switch. This switch permits more page table entry kernel memory but still maintains almost 3 GB of process memory space.^[6]
• /WIN95 — Directs Ntldr to boot the Windows boot sector stored in bootsect.w40.^[4]
• /WIN95DOS — Directs Ntldr to boot the MS-DOS boot sector stored in bootsect.dos.^[4]
• /YEAR — Instructs the Windows core time function to ignore the year that the computer's real-time clock reports and instead use the one indicated. Example: /YEAR=2001. (This switch was created to assist in Y2K testing.)^[4]

See also

• Windows NT startup process
• ntdetect.com
• Ntoskrnl.exe
• Emergency Management Services (EMS)
• Comparison of boot loaders

References

1. Windows 2000 Server
2. Microsoft (2000). Windows 2000 Professional Resource Kit (1st ed.). Redmond, WA: Microsoft Press. ISBN 1-57231-808-2.
3. Microsoft (November 28, 2007). "Available switch options for the Windows XP and the Windows Server 2003 Boot.ini files". Retrieved August 19, 2009.
4. Russinovich, Mark (November 1, 2006). "Boot INI Options Reference". Windows Sysinternals Library on TechNet. Microsoft. Retrieved August 19, 2009.
5. MSDN: /BURNMEMORY specification
6. A description of the Safe Mode Boot options in Windows XP
7. Programs that use the QueryPerformanceCounter function may perform poorly in Windows Server 2000, in Windows Server 2003, and in Windows XP

External links

• How to edit the Boot.ini file in Windows XP
• BOOT.INI and ARC Path Naming Conventions and Usage
• Install Debian Linux from NTLDR
• MS Knowledge Base help on "NTLDR Is Missing" error message in Windows 2000 and Windows XP (also [1], [2], [3]
• Explanation of BOOT.INI by Daniel B. Sedory
• Reasons for and how to fix "NTLDR is missing"
• Simple "NTLDR is missing" fix