Unknown Kadath


XP Won’t Boot :( Repair Series Part 2: Bootloader to Logon Issues

Posted on April 9th, 2013 by James Litten

XP Won’t Boot :(
Repair Series Part 2: Bootloader to Logon Issues

DISCLAIMER: These examples use techniques that I actually employ in the real world to deal with real problems. They might be wrong or dangerous. They might be inefficient. If you try them yourself, it might cause damage or irreparable loss. I take no responsibility for anything you do based on my examples or the information that I provide here.

In part 1 we went through the computer powering on, running the code in the BIOS, finding the MBR on the boot disk and using it to find the location of the boot partition on that disk. Now we continue from the point where the code in the boot sector is accessed.

The last thing the MBR does is to put the code from the first sector of the boot partition into memory and transfer control to it. Since all of this code is still being run in real mode and hasn’t switched into protected mode yet, you can encounter modified settings for viruses and malware. For example, the MBR could point to an infected or erroneous boot sector. Keep this in mind when investigating anomolies here.

The XP/NTFS boot sector and subsequent bootstrapping code is a very complex topic that is beyond the scope of this article. If like me, you enjoy that kind of stuff then check out this link for more info…
http://thestarman.pcministry.com/asm/mbr/NTFSBR.htm

The boot sector is in the partition’s Volume Boot Record (VBR). While the MBR exists at the first sector on the disk, the VBR is located at the first sector of the partition. The MBR determines which VBR is loaded. The VBR is similar to the MBR in the fact that it has a small program in it that is loaded into memory and run to start loading the boot loader which in turn allows you to choose which operating system to load. In our example we are talking about loading a single Windows XP 32-bit OS using an NTFS file system.

The main purpose of our VBR is to load NTLDR which is a hidden, system file that resides in the root directory of the system partition. NTLDR will start loading XP then Ntoskrnl.exe continues on followed by the Session Manager Subsystem and finally the Logon.



The XP Bootloader to Logon Process

NTLDR
Initial Boot Loader Phase
Switches the CPU to protected mode, sets up memory paging and accesses the file system on the boot drive.

Operating System selection
If Windows was put in the hibernation state, the contents of hiberfil.sys are loaded into memory and the system resumes where it left off.

Otherwise it reads the boot.ini file and prompts the user with the boot menu if more than one option is available (dual boot for example). In our example it points to the C:\Windows directory. If there is no boot.ini file, it will attempt a default XP boot from C:\Windows.

Hardware Detection
NTLDR then runs ntdetect.com, which gathers information about the computer’s hardware. This list will later be loaded in the registry under the HKEY_LOCAL_MACHINE\HARDWARE key.

Configuration Selection
If you have multiple hardware profiles it will ask you to choose one at this point.

Load Kernel
Starts Ntoskrnl.exe phase 0, passing to it the information returned by ntdetect.com.The Hardware Abstraction Layer (HAL.dll) is loaded to sit between the hardware and the kernel.The screen is cleared and a series of white rectangles progress across the bottom of the screen.

Load Boot Device Drivers
Any driver under HKEY_LOCAL_MACHINE\SYSTEM\Services that has a Start value of SERVICE_BOOT_START is loaded. A period is printed to the screen for each loaded file.

NTLDR is done here and Ntoskrnl carries on.
At this point, the system displays the XP splash screen with a status bar indicating load status.


Ntoskrnl.exe phase 1
The HAL begins accepting interrupts from devices. If more than one processor is present the additional processors are initialized at this point. All Executive subsystems are reinitialized in the following order:

1) Object Manager
2) Executive
3) Microkernel
4) Security Reference Monitor
5) Memory Manager
6) Cache Manager
7) LPCS
8) I/O Manager
9) Process Manager

I/O Manager assembles a prioritized list of drivers and attempts to load them. Failure of a driver to load may prompt NT to reboot and try to start the system using the values stored in the Last Known Good Configuration.


The Session Manager Subsystem (SMSS) is loaded.


SMSS
SMSS is responsible for creating the user-mode environment.
SMSS loads the win32k.sys device driver which switches the screen into graphics mode. The Services Subsystem now starts all services mark as Auto Start. Once all devices and services are started the boot is deemed successful and this configuration is saved as the “Last Known Good Configuration”.


Logon
Winlogon.exe file is loaded as a service and loads the Local Security Authority Subsystem (LSASS.EXE) which displays the logon dialog box or logs into the OS automatically depending upon your settings.




NTLDR has to be in the root of the active partition as do NTDETECT.COM, BOOT.INI, BOOTSECT.DOS (for multi-OS booting) and NTBOOTDD.SYS (if you have SCSI adapters). NTOSKRNL.EXE HAL.DLL SMSS.EXE WIN32K.SYS and LSASS.EXE are in \WINDOWS\SYSTEM32

NTLDR also watches for the user to hit F8 and shows the Advanced Boot Options menu if it is detected.

Common Boot Errors Bootloader to Logon

Problem with the boot sector. Pressing F8 for Windows Advanced Options menu does not work.

  • Black Screen Hang (before splash screen shows)
  • Disk Read Error occurred
This is often caused by a bad or misconfigured boot sector

Solutions:
Check the disks health
FIXBOOT command in the Recovery Console to rebuild the boot record

Problem with loading NTLDR Pressing F8 for Advanced Boot Options menu does not work.

  • NTLDR missing
  • NTLDR compressed
Solutions:
Copy a good NTLDR to the root of the system drive
Check the disks health
FIXBOOT command in the Recovery Console to rebuild the boot record

Problem with boot.ini Pressing F8 for Advanced Boot Options menu may work but selecting Safe Mode gives an error and does not work.

  • Invalid Boot.ini
  • Boot Device is Inaccesible
  • Hal.dll missing or corrupt
Solutions:
Examine the boot.ini file for errors
Check the disks health
BOOTCFG /REBUILD command in the Recovery Console

Problem with ntdetect.com
  • NTDETECT V1.0 Checking Hardware
  • NTDetect Failed
  • System Hive is Corrupt
Solutions:
Copy a good NTDETECT.COM to the root of the system drive
Check the disks health
For the System Hive is Corrupt error…
Registry Repair in the Recovery Console (Microsoft’s Instructions)
Registry Repair from Linux Boot Disk

Problem with ntoskrnl.exe (boot driver error) or Black Screen Hang (after splash screen appears)

  • Windows could not start because of a computer disk hardware configuration problem.
  • Could not read from the selected boot disk. Check boot path and disk hardware. (After verifying boot.ini is correct)
  • Windows NT could not start because the following file is missing or corrupt: Winnt_root\System32\Ntoskrnl.exe
  • Winnt_root\System32\Hal.dll missing or corrupt
  • Black Screen Hang (after splash screen appears)
Solutions:
Try Last Known Good Configuration
Check the disks health
Edit boot.ini with debugging switches to find which driver is causing the error.
Enable Boot Logging to find which driver is causing the error.
For missing/corrupted file errors
Copy a good Ntoskrnl.exe to the windows\system32 directory of the system drive
Copy a good hal.dll to the windows\system32 directory of the system drive

Solution Details


Check the disk’s health
Download and run the disk diagnostics program provided by your hard drive’s manufacturer from their website. If you have a preloaded computer,there is a chance that it has a diagnostic utility built into it. Consult your computer’s manual for details.

You could run a free copy of PartedMagic for this. It is free but be sure to donate to him if his product helps you.
http://partedmagic.com/
Follow the directions there to make a boot CD.
Boot your broken computer from the CD and Select
1. Default Settings (Runs from RAM)

Self-Monitoring, Analysis and Reporting Technology (SMART) diagnostic report of the hard drive.
After PartedMagic loads, double-click the Disk Health icon on the desktop and then double-click the icon for your hard drive and select the Attributes tab.
I usually look for bad sectors “Reallocated Sector Count” represented by the raw value of attribute ID 5 (and C5 to a lesser extent).
If this value is greater than 0 then the disk may be going bad. Click on the Perform Tests tab and run the “Short Self Test” to make sure that it runs with a test result of “Completed without error”. If you see problems here, then the drive is probably going bad and you should focus on data recovery and replace it. If it has no errors from the short test, run the “Extended Self-Test” to make sure that the disk is okay.

You could also run CHKDSK from the recovery console if you found errors on the disk but since we are dealing with system files and sectors, CHKDSK does not usually solve the problem and can in some cases make it more difficult to recover data from the drive. A bad drive needs to be replaced. See my data recovery posts for instructions on getting your data from the bad drive.



FIXBOOT command in the Recovery Console
Boot your computer from the Windows XP CD (see the manual for your computer for instructions on booting from a CD)

When the ‘Welcome to Setup’ screen appears, press the R button on your keyboard to start the Recovery Console.

The Recovery Console will start. If you have multiple Windows installations, it will list them, and you enter the number associated with the installation you want to work on and press enter. If you have just one Windows installation, type 1 and press enter.

You will then be prompted for the Administrator’s password. If there is no password, press enter. Otherwise type in the password and then press enter.

You will now see a C:\Windows> prompt and you can start using the Recovery Console.

Attempt to repair the boot sector with the fixboot command.
http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/bootcons_fixboot.mspx?mfr=true

If you are attempting to repair the default boot drive, you can type
fixboot
and hit enter.
Answer y when asked if you are sure. Type exit to close and reboot the computer.


Copy a good NTLDR or NTDETECT.COM file to your disk
Boot your computer from the Windows XP CD (see the manual for your computer for instructions on booting from a CD)

When the ‘Welcome to Setup’ screen appears, press the R button on your keyboard to start the Recovery Console.

The Recovery Console will start. If you have multiple Windows installations, it will list them, and you enter the number associated with the installation you want to work on and press enter. If you have just one Windows installation, type 1 and press enter.

You will then be prompted for the Administrator’s password. If there is no password, press enter. Otherwise type in the password and then press enter.

You will now see a C:\Windows> prompt and you can start using the Recovery Console.

For NTLDR type
copy C:\WINDOWS\ServicePackFiles\i386\ntldr c:\

For NTDETECT.COM type
copy C:\WINDOWS\ServicePackFiles\i386\ntdetect.com c:\


Examine the boot.ini file for errors
Here is an example of a default boot.ini file for a typical Windows XP install.

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn



BOOTCFG /REBUILD command in the Recovery Console
Boot your computer from the Windows XP CD (see the manual for your computer for instructions on booting from a CD)

When the ‘Welcome to Setup’ screen appears, press the R button on your keyboard to start the Recovery Console.

The Recovery Console will start. If you have multiple Windows installations, it will list them, and you enter the number associated with the installation you want to work on and press enter. If you have just one Windows installation, type 1 and press enter.

You will then be prompted for the Administrator’s password. If there is no password, press enter. Otherwise type in the password and then press enter.

You will now see a C:\Windows> prompt and you can start using the Recovery Console.

Attempt to rebuild the boot.ini file
It will scan your drives and then tell you what Windows Installations it found and ask which ones you want in your boot list. Typically, it will find one.
Choose YES

Then it will ask for a Load Identifier, which is the name it displays when it lists the OS. You can put something like
Windows XP

Then it asks for OS Load Options. Normally you can put
/fastdetect

Type
exit
to reboot the computer.


Registry Repair from Linux Boot Disk
I like to run a free copy of PartedMagic for this. It is free but be sure to donate to him if his product helps you.
http://partedmagic.com/
Follow the directions there to make a boot CD.
Boot your broken computer from the CD and Select
1. Default Settings (Runs from RAM)

Now use either the graphical File Manager or the command line in a terminal to execute the commands in the Microsoft instructions

http://support.microsoft.com/kb/307545

without the limitation of accessing protected files. Because of this you must be careful to always back files up properly before making changes to them.


Try Last Known Good Configuration
When you turn on your computer start tapping the F8 key about once per second until the Windows Advanced Options menu appears on the screen. Select

Last Known Good Configuration (your most recent settings that worked)

and then press ENTER. The computer will reboot and try to use the configuration that was used the last time that it booted successfully.


Edit boot.ini with debugging switches
This is a trick that will help you identify what mysterious driver or setting is causing the computer not to boot past the Windows XP splash screen.

There are two switches that I like to use for this…

The /sos switch displays the device driver names while they are being loaded. With this you can find the file that the crash is occurring at and can try renaming it temporarily to see if it boots and if it does then reinstall the device or program associated with it.

The /basevideo switch forces XP to use the generic video drivers so you can see if the video drivers are causing the computer not to boot. If they are, you can then try to reinstall or replace your video driver, remove the /basevideo switch and see if it is fixed.

To add the switches you can use commands in Recovery Console or edit the boot.ini file directly from a Linux boot CD (make a backup of the file first).
The command in Recovery Console to add the /sos switch to a default boot.ini file is…

bootcfg /addsw SO /ID n

To remove it type
bootcfg /rmsw SO /ID n

The command in Recovery Console to add the /basevideo switch to a default boot.ini file is…

bootcfg /addsw BV /ID 1

To remove it type
bootcfg /rmsw BV /ID 1

If directly editing the boot.ini file here is what a default one looks like with the switches added…

[boot loader]
timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /sos /basevideo

The list of available switches is here http://support.microsoft.com/kb/833721

Once you find the driver you suspect is causing the problem use Recovery Console commands to disable the driver or service. Remember that if you disable a driver or service in Recovery Console that you want to look at it first with the listsvc command and write down the start type so you can enable it properly at a later time.
http://support.microsoft.com/kb/314058


Enable Boot Logging to find which driver is causing the error.
When you turn on your computer start tapping the F8 key about once per second until the Windows Advanced Options menu appears on the screen. Select

Enable Boot Logging

and then press ENTER. The computer will reboot and create a report about the drivers it loads or tries to load during the boot process.
The log is saved in a text file in C:\Windows\Ntbtlog.txt. Look at this file for errors to help find what is causing the problem.

Once you find the driver you suspect is causing the problem use Recovery Console commands to disable the driver or service. Remember that if you disable a driver or service in Recovery Console that you want to look at it first with the listsvc command and write down the start type so you can enable it properly at a later time.
http://support.microsoft.com/kb/314058


Copy a good ntoskrnl.exe or hall.dll to the windows\system32 directory of the system drive
Boot your computer from the Windows XP CD (see the manual for your computer for instructions on booting from a CD)

When the ‘Welcome to Setup’ screen appears, press the R button on your keyboard to start the Recovery Console.

The Recovery Console will start. If you have multiple Windows installations, it will list them, and you enter the number associated with the installation you want to work on and press enter. If you have just one Windows installation, type 1 and press enter.

You will then be prompted for the Administrator’s password. If there is no password, press enter. Otherwise type in the password and then press enter.

You will now see a C:\Windows> prompt and you can start using the Recovery Console.

For ntoskrnl.exe type
copy c:\windows\system32\ntoskrnl.exe c:\windows\system32\ntoskrnl.bak

copy C:\WINDOWS\ServicePackFiles\i386\ntoskrnl.exe c:\windows\system32

For hall.dll type
copy c:\windows\system32\hall.dll c:\windows\system32\hall.bak

copy C:\WINDOWS\ServicePackFiles\i386\hall.dll c:\windows\system32


Part 1: POST and MBR Issues

Part 3: Blue Screen Errors

Part 4: Recovery Console and Other Tools



ALL COMMENTS ARE MODERATED TO PREVENT SPAM

5 Responses to “XP Won’t Boot :( Repair Series Part 2: Bootloader to Logon Issues”

SamMarch 2nd, 2013 at 11:41 am

Well, you’ve got it licked! (positive comment). I wonder though what I can do, perhaps you can point me in the right direction: my daughters laptop XP SP3 would on booting just end up with the picture, no start or anything just mouse pointer.
I did: 1)system restore from safe mode – no good (unfortunately didn’t try earlier one as well before
2)used my xp disk (pro SP1) to start and go to repair. Big mistake: figured that if I used Enter I would be able to later put SP3 on. result same as before but no more system restore possible (was hoping to use the one I hadn’t used earlier.
3)made slipstreamed SP3 from my xp,no difference just to pic and it’s asking for activation,pressing return nothing just pic and mouse
4)made another SP3 slipstream from my wife XP SP2 disk. at repair went enter not formating or deleting partion – just use as is option.
Result on booting I now have choice:
windows = latest
windows.0 = one before
windows.1 = old one (I can see desktop, shortcuts, programs etc when I’m in basic safe mode (not networking; that option talks activation to be done from normal startup
When I chose windows (first option) I get desktop etc but it didn’t recognise network adapters(wireless or hardwire). so attached my HTC phone via USB copied the htc synchro setup, and then once installed used tethering to get me on the internet for driver find and install (had stalled before bec it couldn’t connect to web.
Program Files which I can see in old Windows under safe mode, aren’t recognised on latest windows, or,as in EXCEL it reports missing bits,not so on old system in safe mode.

Ideally I would like to copy whatever start elements in registry or wherever from working windows to old windows to get it to start and work as before.I realise difference between product codes on laptop box,onlatest install. I was going to talk to MS re activation, as laptop was legit,and as far as I can tell my wife XP was legit.

Thanks for reading this, sorry it’s long and must have given you the creeps, and I appreciate any help.
Thanks,
Sam

adminMarch 2nd, 2013 at 5:21 pm

Hi Sam

It sounds like you may have gotten past the point of regular repairing and need to get any personal/important data copied off of that laptop and then do a reinstall.

Does that laptop have the capability to be reset to factory condition? If so, check the manual for instructions. If not, then you’ll need to use an XP install disk to do a fresh install wiping everything currently on it (reason for backing up any important/personal data) then do the updates. It does not sound like activation will be a problem once you get the laptop connected to the internet or call MS and go through the automated process there.

James

MerryMarch 30th, 2013 at 4:12 pm

I’ve been trying for 2 -3 weeks now to fix an 0x0000ed unmountable boot error on my Dell Latitude XP Pro. According to Dell, the string of error codes is resulting from a faulty kernel(?) file.
This series of yours has been invaluable. It’s an older computer, so of course I have some prefailure errors coming up, but the overall health of the disk (other than read errors) is healthy according to PartedMagic.
My boot.ini reads as above, except: /noexecute=optin/ fastdetect rather than fastdetect/ noexecute=optin and I can’t seem to find a boot.ini file in the i386 folder.
Of course I don’t have the restore discs and the one I downloaded per your recommendation doesn’t detect c: drive.
I tried to install ubuntu last night but it comes up with not enough room in /tmp folder. I’m not quite sure why that is happening, but it leaves me thinking me only option is to completely erase the disk and install ubuntu. I thought I would try contacting you before I do.
Any help would be appreciated and thanks so much for the in-depth tutorial on fixing BSOD. It really helps to have concise, informative info all in one spot rather than getting bits and pieces from all over the web and trying to piece things together.

MerryMarch 30th, 2013 at 4:29 pm

I should add…
Thanks to you and this great series, I was able to recover all of my content. I’m also an Online Business Start-Up coach and use my computer for coaching calls, so being without it is a real inconvenience – to say the least.
Since I have all my data and I can get onto the computer using PartedMagic, I really feel I don’t have a lot to lose if I have to wipe the disk. I’ve tried EVERYTHING – repairing the disk, running restore console, but since my drive isn’t detected, nothing is working. I can’t boot into safe mode, safe mode with command, last known good configuration… I tried to restore from a point I had just set the day before it went down but the system couldn’t find anything and now that I can get into the system files, I see that the folder is empty – so that explains that.
Interestingly enough, I did find a Searchqu toolbar folder – which from what I read, is harmful adware – that was installed a month before the bsod popped up. I never install toolbars and although I DO install an occasional program, I always get them CNet plus run my own malware scan so I’m not exactly sure how that snuck in on me.

adminApril 3rd, 2013 at 2:27 pm

Hi Merry

That’s a tricky error but from my experience, it has always been a damaged drive. Usually it is bad sectors in important files like the file system’s meta files.

James

Leave a Response