CHAPTER 9

Troubleshooting Startup

Diagnosing and correcting hardware and problems that affect the startup requires different tools and techniques than troubleshooting problems that occur after the system has started, because the person troubleshooting the startup problem does not have access to the full suite of Windows 2003 troubleshooting tools. Resolving startup issues requires a clear understanding of the startup process and core components, as well as the tools used to isolate and resolve problems. This chapter covers problems that stop from starting and allowing a to successfully complete the interactive log on process. In This Chapter

Startup Processes...... 3 Being Prepared for Startup Failures...... 22 Startup Troubleshooting Before Product Logo Appears...... 25 Startup Troubleshooting After Product Logo Appears...... 40 Troubleshooting Startup Problems After Logon...... 53 Other Troubleshooting Startup Procedures...... 62 Recovering from Hardware-Related Startup Problems...... 64 Additional Resources...... 72

2 Chapter 9 Troubleshooting Startup

The information contained in this document represents the current view of Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e- addresses, logos, , places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.

© 2003 Microsoft Corporation. All rights reserved.

Microsoft, , Windows, Windows NT, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 錯誤! 尚未定義樣式。 3

Startup Processes To diagnose and correct a startup problem, you need to understand what occurs during startup. The first step in isolating startup problems is for you to determine whether the problem occurs before, during, or after a Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition, or Windows Server 2003, Web Edition operating system starts up. The root cause of startup failure, including contributing factors, can result from a variety of problems, such as user error, application faults, hardware failures, or virus activity. If the condition is serious enough, you might need to reinstall Windows Server 2003 or restore files from backup media. In the 32-bit versions of the Windows Server 2003 operating system, startup failures that occur before the operating system loader (Ntldr) starts could indicate that Ntldr is missing, or that the hard disk (MBR), partition table, or is damaged. If a problem occurs during startup, the system might have incompatible software or drivers, incompatible or improperly configured hardware, or corrupted system files. The startup process for the Itanium-based versions of Windows Server 2003, Enterprise Edition and Windows Server 2003, Datacenter Edition is similar to that of 32-bit versions. For information, see “Startup Phases for Itanium-based Windows Server 2003 Computers” later in this chapter. Startup Phases for 32-bit Versions of Windows Server 2003 The startup process for 32-bit versions of Windows Server 2003 closely resembles that of Microsoft® Windows NT® Server version 4.0, Microsoft® Windows® 2000 Server, and XP, but significantly differs from Microsoft , Microsoft , and Microsoft Windows Millennium Edition (Windows Me). All computers running Windows Server 2003 share the same startup sequence: · Power-on self test (POST) phase · Initial startup phase · Boot loader phase · Detect and configure hardware phase · Kernel loading phase · Logon phase · Plug and Play device detection phase The preceding startup sequence applies to systems started or restarted after a normal . The detect and configure hardware phase only includes hardware necessary to the kernel 4 Chapter 9 Troubleshooting Startup

loading phase, including system buses, hard disks, input devices, and parallel ports. Remaining hardware devices are configured during the kernel loading phase. Windows Server 2003 32-bit Version Startup Files For Windows Server 2003 to start, the system and boot partitions must contain the files listed in Table 9.1. Table 9.1 Windows Server 2003 32-bit Version Startup Files File Name Disk Location Description Ntldr Root of the system partition The operating system loader. Boot.ini Root of the system partition A file that specifies the paths to Windows Server 2003 installations. For multiple-boot systems or for systems with installed, Boot.ini contains the operating system choices that display on the startup menu. Bootsect.dos Root of the system partition A hidden system file that Ntldr passes control to (multiple-boot when you choose a different operating system in a systems only) Windows Server 2003 multiple-boot configuration. Operating systems can be loaded by using Bootsec.dos include Windows 95, Windows 98, and Millennium Edition. Ntdetect.com Root of the system partition The file that performs basic hardware detection. The information generated by Ntdetect.com is used by Ntldr. Ntbootdd.sys Root of the system partition The used to access devices attached to (required for SCSI or Advanced a SCSI or ATA hard disk whose adapter is not using Technology Attachment (ATA) BIOS. This device driver is specific to the controller controllers with firmware used. disabled or that do not support extended INT-13 calls). Ntoskrnl.exe systemroot\System32 The core (also called the kernel) of the Windows Server 2003 Server operating system. Code that runs as part of the kernel does so in privileged processor mode and has direct access to system data and hardware. During installation on single processor systems, Windows Server 2003 Setup copies Ntoskrnl.exe from the operating system . During installation on multi-processor systems, Windows Server 2003 Setup copies Ntoskrnlmp.exe and renames it as Ntoskrnl.exe. Hal.dll systemroot\System32 The layer (HAL) dynamic-link library file. The HAL abstracts low-level hardware details from the operating system and provides a common programming interface to devices of the 錯誤! 尚未定義樣式。 5

same (such as video adapters). The Windows Server 2003 operating system CD contains different Hal files. Setup copies to your computer the file that fits your hardware configuration and renames the file as Hall.dll. Smss.exe systemroot\System32 The Session Manager file. Session Manager is a user-mode process created by the kernel during startup that handles critical startup tasks including creating page files and performing delayed file rename and delete operations. Csrss.exe systemroot\System32 The Win32 Subsystem file. The Win32 Subsystem is launched by Session Manager, and is required by Windows Server 2003 to function. .exe systemroot\System32 The Logon Process file, which handles user logon requests and intercepts the Ctrl+Alt+Delete logon key sequence. The Logon Process is launched by Session Manager. This process is required for users to interact with Windows Server 2003, and as a result, is a required component. Services.exe systemroot\System32 The is responsible for starting and stopping services, and is a required component of Windows Server 2003. Lsass.exe systemroot\System32 Local Security Authentication Server process is called by the Logon Process when authenticating users, and is a required component. System systemroot\System32\Config\Sy The file that contains data used to create the registry registry file stem key HKEY_LOCAL_MACHINE\SYSTEM. This key contains information that the operating system requires to start devices and system services. Device drivers systemroot\System32\Drivers Driver files in this folder are for hardware devices, such as keyboard, mouse, and video.

Note Windows NT 4.0, , Windows XP Professional, and Windows Server 2003, define the “system” and “boot” volumes differently from other operating systems. The system volume contains the files that are needed to start Windows Server 2003. The boot volume contains operating system files and folders such as systemroot and systemroot\System32. For 32-bit computers, the boot volume can be, but does not have to be, the same volume as the system volume.

In Table 9.1, the term systemroot is one of many environment variables used to associate string values, such as folder or file paths, to variables that Windows Server 2003 applications and services use. For example, by using environment variables, scripts can run without modification 6 Chapter 9 Troubleshooting Startup

on computers that have different configurations. To obtain a list of environment variables that you can use for troubleshooting, type set the Windows command prompt.

Power-on Self Test As soon as you turn on a computer, its (CPU) begins to carry out the programming instructions contained in the basic input/output system (BIOS). The BIOS, which is a type of firmware, contains the processor dependent code that starts the computer regardless of the operating system installed. The first set of startup instructions is the power-on self test (POST). The POST is responsible for the following system and diagnostic functions: · Performs initial hardware checks, such as determining the amount of memory present. · Verifies that the devices needed to start an operating system, such as a hard disk, are present. · Retrieves system configuration from non-volatile complementary metal-oxide semiconductor (CMOS) memory, which is located on the motherboard. The contents of CMOS memory remain even after you shut down the computer. Examples of hardware settings stored in CMOS memory include device boot order and Plug and Play information. After the motherboard POST completes, add-on adapters that have their own firmware (for example, video and hard drive controllers) carry out internal diagnostic tests. Troubleshooting problems during POST If startup fails before or during POST, your computer is experiencing a hardware failure. Typically, the BIOS displays an error message that indicates the nature of the problem. If video is not functioning correctly, the BIOS usually indicates the nature of the failure with a series of beeps. To access and change system and peripheral firmware settings, consult the system documentation provided by the manufacturer. For more information, refer to your computer’s documentation and see “Recovering from Hardware-related Problems” in this chapter.

Initial Startup Phase After the POST, the settings that are stored in CMOS memory, such as boot order, determine the devices that the computer can use to start an operating system. For example, if the boot order specifies the floppy disk as the first startup device and the hard disk as second (some firmware displays this order as “A, C”), the following scenarios might occur at startup: The floppy disk drive contains a floppy disk The BIOS searches the floppy disk drive for a bootable floppy disk. If one is present, the first sector (sector 0, the floppy disk boot sector) loads into memory. If the floppy disk is not bootable, an error message similar to the following appears:

Non-system disk or disk error and press any key when ready

錯誤! 尚未定義樣式。 7

The computer displays the preceding message until you insert a bootable floppy disk or until you remove the floppy disk and restart the computer. The floppy disk drive does not contain a floppy disk If you restart the computer without a floppy disk, the computer reads the boot code instructions located on the master boot record (MBR). The MBR is the first sector of data on the startup hard disk. The MBR contains instructions (called boot code) and a table (called a partition table) that identify primary and extended partitions. The BIOS reads the MBR into memory and transfers control to the code in the MBR. The computer then searches the partition table for the active partition, also known as a bootable partition. The first sector of the active partition contains boot code that enables the computer to do the following: · Read the contents of the used. · Locate and start the operating system loader file, Ntldr. If an active partition does not exist or if boot sector information is missing or corrupt, a message similar to any of the following might appear:

· Invalid partition table

· Error loading operating system

· Missing operating system

· BOOT: Couldn't NTLDR

· NTLDR is missing If an active partition is successfully located, the code in the boot sector locates and starts Ntldr and the BIOS transfers execution to it. The boot order specifies another startup device In addition to floppy disks or hard disks attached to SCSI and ATA controllers, some computer firmware can start an operating system from other devices, such as: · CD-ROMs · Network adapters · Removable disks, such as LS-120 disks or Iomega Zip disks · Secondary storage devices installed in docking stations for portable computers It is possible to specify a custom boot order, such as “CDROM, A, C.” When you specify “CDROM, A, C” as a boot order, the following events occur at startup: 1. The computer searches the CD-ROM for bootable media. If a bootable CD is present, the computer uses the CD-ROM as the startup device. Otherwise, the computer searches the next device in the boot order. 2. The computer searches the floppy disk for bootable media. If a bootable floppy disk is present, the computer uses the floppy disk as the startup device. Otherwise, the computer searches the next device in the boot order or displays an error message. 8 Chapter 9 Troubleshooting Startup

3. The computer uses the hard disk as the startup device. The computer typically uses the hard disk as the startup device only when the CD-ROM drive and the floppy disk drive are empty. There are exceptions where code on bootable media transfer control to the hard disk. For example, when you start your system by using the bootable Windows Server 2003 operating system CD, Setup checks the hard disk for Windows Server 2003 installations. If one is found, you have the option of bypassing CD-ROM startup by not responding to the Press any key to boot from CD-ROM prompt that appears. You cannot use a nonbootable CD to start your system. The presence of a nonbootable CD in the CD-ROM drive can add to the the system requires to start. If you do not intend to start the computer from CD, remove all CDs from the CD-ROM drive before restarting. Troubleshooting problems during the initial startup phase If startup fails during the initial startup phase, you are experiencing a problem with the BIOS configuration, the disk subsystem, or the file system. If you have changed the disk configuration recently, verify that all cables are properly connected and jumpers are correctly configured. If from the hard disk, verify that all removable media has been removed. If booting from a CD-ROM, verify that the BIOS is configured to start from the CD-ROM and that the Windows Server 2003 media is present. If the disk subsystem and BIOS are configured correctly, the problem might be related to the file system. For instructions on repairing the master boot record and the boot sector, see “Repairing the Boot Sector and Master Boot Record” later in this chapter. For more information about configuring the boot order, consult your computer’s documentation.

Boot Loader Phase Ntldr loads startup files from the boot partition and then does the following: 1. Sets a 32-bit processor to run in 32-bit flat memory mode. A 32-bit computer first starts in real mode. In real mode, the processor disables certain features in order to allow compatibility with software designed to run on 8-bit and 16-bit processors. Ntldr then switches the processor to 32-bit protected mode, which allows access to large amounts of memory and enables Windows Server 2003 to start. 2. Reads the Boot.. Ntldr is capable of natively reading supported file systems, and uses that capability to parse the Boot.ini file without fully loading the file system. For systems that use a single-boot configuration, Ntldr initiates the hardware detection phase by starting Ntdetect.com. For multiple-boot configurations or if you install Recovery Console, you receive a menu of operating system choices at startup.

Note Computers running Windows NT 4.0 require Service Pack 4 or later to access NTFS volumes previously mounted by Windows Server 2003, Windows 2000, or Windows XP Professional. 錯誤! 尚未定義樣式。 9

If you choose Windows Server 2003, Windows XP Professional, Windows 2000, or Windows NT 4.0, Ntldr proceeds with the hardware detection phase. If you do not select Windows Server 2003, Windows XP, Windows 2000, or Windows NT 4.0, control is passed to the boot sector for the other operating system. 3. Detects hardware and hardware profiles. For 32-bit computers, Ntldr starts Ntdetect.com, a program that performs basic device detection. Ntldr then loads the kernel and HAL for the operating system chosen in Step 2. The kernel needs information from the registry and critical drivers, so Ntldr loads the registry key HKLM\SYSTEM and the boot drivers into memory. Ntldr then passes Boot.ini information, as well as hardware and software data in the registry, to Ntoskrnl.exe. Ntdetect.com detects hardware profile information (for example, docked and undocked configurations for portable computers) and also checks for information stored in Advanced Configuration and Power Interface (ACPI) tables. ACPI compliant firmware enables Windows Server 2003 to detect device power management features and determine device resource requirements.

Troubleshooting problems during the boot loader phase If startup fails during the boot loader phase, you are experiencing a problem with one of the boot loader files, the file system, or the disk configuration. Use the command in Recovery Console to validate and repair the Boot.ini file. Then, replace the Ntldr and Ntdetect.com files with originals from the Windows Server 2003 CD-ROM. For more information about ACPI, see the ACPI link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Detect and Configure Hardware Phase After processing the Boot.ini file, Ntldr starts Ntdetect.com. For 32-bit computers, Ntdetect.com collects information about installed hardware by using calls to system firmware routines. Ntdetect.com then passes this information back to Ntldr. Ntldr gathers the data received from Ntdetect.com and organizes the information into internal data structures. Ntldr then starts Ntoskrnl.exe and provides it with information obtained from Ntdetect.com. Ntdetect.com collects the following type of hardware and device information: · System firmware information, such as time and date · Bus and adapter types · Video adapters · Keyboard · Communication ports · Disks · Floppy disks · Input devices (such as mouse devices) 10 Chapter 9 Troubleshooting Startup

· Parallel ports · Devices installed on the Industry Standard Architecture (ISA) bus Ntdetect.com relies on ACPI functionality to perform device enumeration when available. Windows Server 2003 assigns the hardware resources to use on ACPI-compliant systems. Ntdetect.com performs a more active role in device enumeration for computers that are not ACPI compliant. Troubleshooting problems during the detect and configure hardware phase If startup fails during the detect and configure hardware phase, use Recovery Console to replace startup files. If you experience a Stop error during this phase, use the information provided by the Stop message to isolate the failing component. Use Recovery Console to disable the failing component or to replace problematic files.

Kernel Loading Phase Ntldr is responsible for loading the Windows kernel (Ntoskrnl.exe) and the HAL into memory. The Hal.dll file that your computer uses can vary depending on the type of hardware your computer uses. During installation, Windows Server 2003 Setup copies one of several HAL files (see Table 9.2 for a list of these files) and renames the file to Hal.dll. To view the computer description in 1. In the Run dialog box, type devmgmt.msc, and then click OK. 2. In Device Manager, expand Computer to view the description of your computer. By comparing the description that Device Manager uses to the descriptions listed in Table 9.2, you can determine the HAL file that is copied to your computer from the Windows Server 2003 operating system CD. Other HALs might be developed by other manufacturers. Table 9.2 Description of Different Hal.dll Files Computer Description in Device Manager HAL File Copied ACPI APIC Multiprocessor PC Halmacpi.dll ACPI APIC Uniprocessor PC Halaacpi.dll Advanced Configuration and Power Interface (ACPI) PC Halacpi.dll MPS Multiprocessor PC Halmps.dll MPS Uniprocessor PC Halapic.dll Standard PC Hal.dll

Together, the kernel and the HAL initialize a group of software components that are called the Windows executive. The Windows executive processes the configuration information stored in the registry in HKLM\SYSTEM\CurrentControlSet, and starts services and drivers. 錯誤! 尚未定義樣式。 11

Control Sets Ntldr reads control set information from the registry key HKEY_LOCAL_MACHINE\SYSTEM which is stored in the file systemroot\system32\Config\System, so that Ntldr can determine which device drivers need to be loaded during startup. Typically, several control sets exist, with the actual number depending on how often system configuration settings change.

Caution Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system, or even require you to reinstall Windows. If you must edit the registry, back it up first.

The HKEY_LOCAL_MACHINE\SYSTEM subkeys used during startup are: · \CurrentControlSet, a pointer to a ControlSetxxx subkey (where xxx represents a control set number, such as 001) designated in the \Select\Current value. · \Select, which contains the following entries: · Default, which points to the control set number (for example, 001=ControlSet001) that the system has specified for use at the next startup. If no error or manual invocation of the LastKnownGood startup option occurs, this control set number is designated as the value of the Default, Current, and LastKnownGood entries (assuming that a user is able to log on successfully). · Current, which points to the last control set that was used to start the system. · Failed, which points to a control set that did not start Windows Server 2003 successfully. This value is updated when the LastKnownGood option is used to start the system. · LastKnownGood, which points to the control set that was used during the last user session. When a user logs on, the LastKnownGood control set is updated with configuration information from the previous user session. Ntldr uses the control set identified by the \Select\Default value unless you choose the Last Known Good Configuration from the Windows Advanced Options menu. The kernel uses the information obtained from Ntdetect.com to create the registry key HKEY_LOCAL_MACHINE\HARDWARE, which contains the hardware data collected at system startup. You can monitor the kernel load process by viewing the Starting up progress status bar that that appears during startup. Windows Server 2003 supports an extensive set of devices, with additional drivers not on the Windows Server 2003 operating system CD provided by hardware manufacturers. Drivers are kernel-mode components required by devices to function within an operating system. Services are components that support operating system and application functions and act as network servers. Services can run in a different context than user applications and typically do not offer many user-configurable options. For example, the Print Spooler service does not require a user to be logged on to run and functions independently of the user who is logged on to the system. 12 Chapter 9 Troubleshooting Startup

Drivers generally communicate directly with hardware devices, while services usually communicate with hardware through drivers. Windows Server 2003 driver and service files are typically stored in the systemroot\System32 and systemroot\System32\Drivers folders and use .exe, ., or .dll file name extensions. Drivers are also services. Therefore, during kernel initialization, Ntldr and Ntoskrnl.exe use the information stored in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename registry subkeys to determine both the drivers and services to load. In the Servicename subkeys, the entry Start specifies when to start the service. For example, Ntldr loads all drivers for which Start is 0, such as device drivers for hard disk controllers. After execution is transferred to the kernel, the kernel loads drivers and services for which Start is 1. Table 9.3 lists the values (in decimal) for the registry entry Start. Boot drivers (those for which Start is 0) and file system drivers are always loaded regardless of the value of Start because they are required to start Windows Server 2003. Table 9.3 Descriptions of the Values for the Start Registry Entry Value Start Type Value Descriptions for Start Entries 0 Boot Specifies a driver that is loaded (but not started) by the boot loader. If no errors occur, the driver is started during kernel initialization prior to any non-Boot drivers being loaded. 1 System Specifies a driver that loads and starts during kernel initialization after drivers with a Start value of 0 have been started. 2 Auto load Specifies a driver or service that is initialized at system startup by Session Manager (Smss.exe) or the Services Controller (Services.exe). 3 Load on demand Specifies a driver or service that the SCM starts only on demand. These drivers have to be started manually by calling a Win32 SCM API such as the Services snap-in.. 4 Disabled Specifies a disabled (not started) driver or service.

Table 9.4 lists some of the values (in decimal) for the Type registry entry. Table 9.4 Descriptions of the Type Registry Values Value Value Descriptions for Type Entries 1 Specifies a kernel device driver. 2 Specifies a kernel mode file system driver (also a kernel device driver). 4 Specifies arguments passed to an adapter. 8 Specifies a file system driver such as a file system recognizer driver. 16 Specifies a service that obeys the service control protocol, runs within a process that hosts only one service, and can be started by the Services Controller. 32 Specifies a service that runs in a process that hosts multiple services. 錯誤! 尚未定義樣式。 13

256 Specifies a service that is allowed to display windows on the console and receive user input.

Some drivers and services require that conditions, also known as dependencies, be met. You can find dependencies listed under the DependOnGroup and DependOnService entries in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename subkey for each service or driver. For more information about using dependencies to prevent or delay a driver or service from starting, see “Temporarily Disabling Services” later in this chapter. The Services subkey also contains information that affects how drivers and services are loaded, a few of which are listed in Table 9.5. Table 9.5 Other Registry Entries in the Servicename Subkeys Entry Description DependOnGroup At least one item from this group must start before this service is loaded. DependOnServic Lists the specific services that must load before this service loads. e DisplayName Describes the component. ErrorControl · Controls whether a driver error requires the system to use the LastKnownGood control set or to display a Stop message. · If the value is 0x0 (Ignore, no error is reported), do not display a warning and proceed with startup. · If the value is 0x1 (Normal, error reported), record the event to the System Event Log and display a warning message, but proceed with startup. · If the value is 0x2 (Severe), record the event to the System Event Log, use the LastKnownGood settings, restart the system, and proceed with startup. · If the value is 0x3 (Critical), record the event to the System Event Log, use the LastKnownGood settings, and restart the system. If the LastKnownGood settings are already in use, display a Stop message. Group Designates the group that the driver or service belongs to. This allows related drivers or services to start together (for example, file system drivers). The registry entry List in the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder specifies the group startup order. ImagePath Identifies the path and file name of the driver or service if the ImagePath entry is present. You can use Windows Explorer to verify the path and file name. ObjectName Specifies an object name. If the Type entry specifies a Windows Server 2003 service, it represents the account name that the service uses to log on when it runs. Tag Designates the order in which a driver starts within a driver group.

14 Chapter 9 Troubleshooting Startup

Session Manager After all entries that have Boot and Startup data types are processed, the kernel starts the Session Manager, which continues to run until the operating system is shut down. The Session Manager (Smss.exe) performs important initialization functions such as: · Creating system environment variables. · Starting the kernel-mode portion of the Win32 subsystem (implemented by systemroot\system32\Win32k.sys), which causes Windows Server 2003 to switch from text to graphics mode. Windows-based applications run in the Windows subsystem. This environment allows applications to access operating system functions, such as displaying information to the screen. · Starting the user-mode portion of the Win32 subsystem (implemented by systemroot\system32\Csrss.exe). The applications that use the Windows subsystem are user mode processes; they do not have direct access to hardware or device drivers. User-mode processes run at a lower priority than kernel-mode processes. When the operating system needs more memory, it can page to disk the memory that is used by user-mode processes. · Starting the Logon Manager (systemroot\system32\Winlogon.exe). · Creates additional paging files. · Performs delayed rename operations for files specified by the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\PendingFileRenameOperations. For example, you might be prompted to restart the computer after installing a new driver or application, so that Windows Server 2003 can replace files that are currently in use. Session Manager searches the registry for service information that is contained in the following subkeys: · HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager contains a list of commands to run before loading services. The Autochk.exe tool is specified by the value of the registry entry BootExecute and virtual memory (paging file) settings stored in the Memory Management subkey. Autochk, which is a version of the Chkdsk tool, runs at startup if the operating system detects a file system problem that requires repair before completing the startup process. · HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems stores a list of available subsystems. For example, Csrss.exe contains the user-mode portion of the Windows subsystem. Troubleshooting problems during the kernel loading phase If startup fails during the kernel loading phase after another operating system was installed on the computer, the cause of the problem is likely an incompatible boot loader. Boot loaders installed by older versions of Windows cannot be used to start Windows Server 2003. Use Recovery Console to replace startup files with Windows Server 2003 startup files. Otherwise, use boot logging to isolate the failing component, and then use Recovery Console to disable the failing component or to replace problematic files. If you experience a Stop error 錯誤! 尚未定義樣式。 15

during this phase, use the information provided by the Stop message to isolate the failing component.

Logon Phase The Windows subsystem starts Winlogon.exe, a system service that enables logging on and off. Winlogon.exe then does the following: · Starts the Services subsystem (Services.exe), also known as the Service Control Manager (SCM). The Service Controller Manager initializes services that the registry entry Start designates as Autoload in the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename. · Starts the Local Security Authority (LSA) process (Lsass.exe). · Parses the CTRL+ALT+ key combination at the Begin Logon prompt. The Graphical Identification and Authentication (GINA) component collects the user name and password, and passes this information securely to the LSA for authentication. If the user supplied valid credentials, access is granted by using either the default Kerberos V 5 authentication protocol or NTLM. Winlogon initializes security and authentication components while Plug and Play initializes auto- load services and drivers. After the user logs on, the control set referenced by the registry entry LastKnownGood (located in HKLM\SYSTEM\Select) is updated with the contents in the CurrentControlSet subkey. By default, Winlogon then launches Userinit.exe. Userinit might then launch other processes, including the following: · settings take effect. Group Policy settings that apply to the user and computer take effect. For more information about Group Policy, see the Change and Configuration Management Deployment Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. · Startup programs run. When not overridden by Group Policy settings, Windows Server 2003 starts logon scripts, startup programs, and services referenced in these registry subkeys and file system folders: · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \Runonce · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion \policies\Explorer\Run · HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run · HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows \Run · HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run · HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce · systemdrive\Documents and Settings\All Users\\Programs\Startup · systemdrive\Documents and Settings\username\Start Menu\Programs\Startup 16 Chapter 9 Troubleshooting Startup

· windir\Profiles\All Users\Start Menu\Programs\Startup · windir\Profiles\username\Start Menu\Programs\Startup The windir\Profiles folders exist only on systems that are upgraded from Windows NT 4.0 Server. Windows Server 2003 startup is not complete until a user successfully logs on to the computer. Troubleshooting problems during the logon phase If startup fails during the logon phase, you are having a problem with a service or application configured to start automatically. For troubleshooting information, see “Temporarily Disabling Applications and Processes” later in this chapter. If you experience a Stop error during this phase, use the information provided by the Stop message to isolate the failing component.

Plug and Play Device Detection Plug and Play detection runs asynchronously with the logon process and relies on system firmware, hardware, device driver, and operating system features to detect and enumerate new devices. Windows Server 2003 optimizes Plug and Play support for computers equipped with ACPI firmware and enables enhanced features, such as hardware resource sharing. When Plug and Play components are well coordinated, Windows Server 2003 can detect new devices, allocate system resources, and install or request drivers with minimal user intervention. Troubleshooting problems during the Plug and Play detection phase If startup fails during the Plug and Play detection phase and you have recently added a new hardware component, you are having a problem installing a new hardware component. Remove the hardware component, and refer to the hardware documentation for installation instructions. If you experience a Stop error during this phase, use the information provided by the Stop message to isolate the failing component. Startup Phases for Itanium-based Windows Server 2003 Computers Windows Server 2003 Enterprise Edition and Datacenter Edition also run on Itanium-based computers. The startup process for Itanium-based computers is similar to that of 32-bit computers. Itanium-based computers proceed through the following startup stages: 1. Power-on self test (POST) phase 2. EFI boot manager phase 3. Kernel loading phase 4. Device driver and service initialization phase 5. Logon phase 錯誤! 尚未定義樣式。 17

Itanium-based Windows Server 2003 Startup Files for Itanium-based computers Table 9.6 lists the names and locations of the startup files for Itanium-based computers. The Extensible Firmware Interface (EFI) System partition is the first partition of the startup drive. Table 9.6 Itanium-based Windows Server 2003 Startup Files File and Folder Disk Location Description Names BootNNNN EFI\Microsoft\WinNT50.x folder A file that contains a saved of the EFI boot on the EFI System partition manager NVRAM settings. A WinNT50.x folder exists for each Windows Server 2003 installation on your system. The value of x indicates the order that you installed the instance of Windows Server 2003. A corresponding BootNNNN file exists for each Windows Server 2003 installation. Setup generates a BootNNNN file during installation. The value of NNNN corresponds to the installation's NVRAM boot ID entry. Fpswa.efi EFI\Microsoft\EfiDrivers on the An EFI driver that supports EFI floating point root of the EFI System partition. operations. If the core firmware does not support these operations, the driver is required for Windows Server 2003. MSUtil (folder) Resides on the root of the EFI A folder that contains EFI tools. System partition. Nvrboot.efi \MSUtil A tool that enables you to restore boot manager startup options saved to BootNNNN files. It also allows you to back up NVRAM boot entries and edit startup parameters. Whenever possible, use Bootcfg.exe to make changes. IA64ldr.efi EFI\Microsoft\WinNT50.x folder The operating system loader. on the EFI System partition Ntoskrnl.exe systemroot\System32 The core (also called the kernel) of the Windows Server 2003 operating system. Operating system code that runs as part of the kernel does so in a special privileged processor mode, with direct access to system data and hardware. During installation, Windows Server 2003 Setup copies Ntoskrnl.exe from the operating system CD for single processor systems, or for multi-processor systems, copies Ntoskrnlmp.exe and renames it to Ntoskrnl.exe. Hal.dll systemroot\System32 The hardware abstraction layer (HAL) dynamic-link library file. The HAL abstracts low-level hardware 18 Chapter 9 Troubleshooting Startup

details from the operating system and provides a common programming interface to devices of the same type (such as video adapters). System systemroot\System32\Config\Sy The registry file that contains the data used to registry file stem create the registry key HKEY_LOCAL_MACHINE\SYSTEM. This key contains information that the operating system requires to start devices and system services. Device drivers systemroot\System32\Drivers This folder contains driver files for hardware devices.

Due to the differences between Itanium-based and 32-bit computers, certain files required for the 32-bit startup process are not required for Itanium-based computers. Table 9.7 lists 32-bit files not required by Itanium-based computers: Table 9.7 32-bit Files Not Used on Itanium-based Windows Server 2003 File not used Description Ntldr The 32-bit loader. The loader for Itanium-based Windows Server 2003 is IA64ldr.efi. Boot.ini The Boot.ini file is not required for Itanium-based computers because information previously contained in the file, such as startup options and descriptive menu text, is stored in NVRAM. Ntdetect.com Windows Server 2003 detects hardware according to the ACPI specification rather than using Ntdetect.com.

Power-on Self Test for Itanium-based Computers The POST process for Itanium-based computers is similar to 32-bit computers. The Extensible Firmware Interface (EFI) performs rudimentary hardware checks, similar to those performed by a PC-AT BIOS on a 32-bit system, and verifies that devices needed to start the system are present. See “Power-on Self Test” within “Startup Phases for 32-bit Computers” in this chapter.

Note The EFI specification, currently implemented for Itanium-based computers only, defines a new model for the interface between operating systems and platform firmware. For more information about EFI, see the Extensible Firmware Interface link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

EFI Boot Manager Phase for Itanium-based Computers After the POST finishes, the boot manager determines the EFI drivers to use, the EFI tool set that is available to the user, and the EFI startup options to display. The boot manager is contained within the firmware of Itanium-based computers. 錯誤! 尚未定義樣式。 19

The specific set of boot manager features that are available on your computer can vary from one EFI system to another. Check your system documentation for information about additional tools, which might include Nvrboot.efi, .efi, .efi, .efi, and an EFI shell. These tools are either included with the EFI shell or can be run from a floppy disk or other removable disks. You might be able to use these additional tools to perform system tasks, such as restoring the boot manager startup menu, mapping disks, performing file maintenance, updating system firmware, and doing recovery operations. To start Windows Server 2003 or any other operating system, the boot manager performs the following tasks: · Reads EFI configuration settings, such as the boot order sequence, from non-volatile memory (NVRAM). As with the CMOS settings for 32-bit computers, the contents of NVRAM are preserved even when you turn off the computer. · Locates and transfers execution to the operating system loader. For Windows Server 2003, the operating system loader is a file called IA64ldr.efi. IA64ldr.efi, in turn, starts the Itanium-based Windows Server 2003 kernel. Troubleshooting problems during the startup and boot manager phase If startup fails during the initial startup phase, you are experiencing a problem with the firmware, the NVRAM, the disk subsystem, the file system, or the configuration of hardware components. If you have changed the hardware configuration recently, verify that all cables are properly connected and jumpers are correctly configured. If the disk subsystem and NVRAM are configured correctly, you might have a corrupted file system.

Kernel Loading Phase for Itanium-based Computers IA64ldr.efi performs a function similar to that of Ntldr for 32-bit computers. IA64ldr.efi is responsible for loading the kernel (Ntoskrnl.exe) and the hardware abstraction layer Hal.dll into memory. However, Ntldr has the additional responsibility of performing boot manager functions for 32-bit computer. IA64ldr.efi loads control set information and uses it to load device drivers. For more information about the kernel loading phase, see “Kernel Loading Phase” earlier in this chapter.

Device Drivers and Services Phase for Itanium-based Computers The processes that occur for Itanium-based computers during this phase closely resemble the processes for 32-bit computers. For more information about the device drivers and services phase, see “Kernel Loading Phase” earlier in this chapter.

Logon Phase for Itanium-based Computers During this phase, the processes that occur for Itanium-based computers closely resemble the processes for 32-bit computers. For more information about the operating system logon phase, see “Logon Phase” earlier in this chapter. 20 Chapter 9 Troubleshooting Startup

Plug and Play Device Detection Phase for Itanium-based Computers The processes that occur for Itanium-based computers during this phase closely resemble the processes for ACPI compliant 32-bit computers. For more information, see “Plug and Play Device Detection” earlier in this chapter. Comparison of the Startup Processes Table 9.8 lists the startup phases and provides a descriptive summary of the differences between 32-bit and Itanium-based computers. Table 9.8 Summary of the Startup Process Startup Phase 32-bit Computers Itanium-based computers Power-on self test Both 32-bit and Itanium-based computers perform similar tasks during this (POST) phase. Initial startup phase The system searches for a boot device The EFI starts the boot manager. according to the boot order setting stored in CMOS. If the boot device is a hard disk, the BIOS loads and transfers execution to the MBR, which initiates Ntldr. Boot loader phase Ntldr switches the CPU to protected Boot manager determines which mode, and then reads the contents of operating system loader to initiate the Boot.ini file. based on information read from NVRAM. This information determines the startup Boot manager information is used to options and initial boot menu determine the startup options. selections. Detect and configure Ntldr launched Ntdetect.com to gather The boot manager searches for and hardware phase basic hardware configuration data. If starts IA64ldr.efi. more than one hardware profile exists, Windows Server 2003 attempts to use the one that is correct for the current configuration. If the firmware complies with ACPI Windows Server 2003 uses ACPI specifications, Windows Server 2003 functionality to enumerate devices. uses ACPI functionality to enumerate devices.

Kernel loading phase Ntldr passes the information collected IA64ldr.efi loads by Ntdetect.com to Ntoskrnl.exe. 1. kernel Ntldr then loads : · HAL 1. kernel · registry 錯誤! 尚未定義樣式。 21

· HAL information · registry A progress indicator appears near the information bottom of the screen. A progress indicator appears near the bottom of the screen. Logon phase Both 32-bit and Itanium-based computers perform similar tasks during this phase. Plug and Play device Both 32-bit and Itanium-based computers perform similar tasks during this detection phase.

Table 9.9 lists the files that are processed by 32-bit and Itanium-based computers during the startup process. This information is useful if your organization uses Windows Server 2003 for both 32-bit and Itanium-based computers. For example, when diagnosing a problem on a Itanium-based computer, you can immediately eliminate Boot.ini and Ntdetect.com from your list of potential causes. Table 9.9 Files Processed During Startup Itanium- 32-bit File Name based Computers Computers Boot.ini Bootsect.dos (multiple-boot with older operating system only) Csrss.exe FPSWA.efi Hal.dll IA64ldr.efi Lsassexe Ntbootdd.sys Ntdetect.com Ntkrnlpa.exe (32-bit Windows Server 2003 Enterprise Edition or Windows

Server 2003 Datacenter Edition only) Ntkrpamp.exe (32-bit Windows Server 2003 Enterprise Edition or Windows

Server 2003 Datacenter Edition only) Ntldr Ntoskrnl.exe Services.exe Smss.exe 22 Chapter 9 Troubleshooting Startup

Winlogon.exe Files in the systemroot\System32\Config\ folder Files in thesystemroot\System32\Drivers folder

Being Prepared for Startup Failures There are several steps you can take to prepare yourself, and your computers, for troubleshooting startup problems before the problems occur. Most importantly, you should use Automated System Recovery (ASR) to save important disk configuration information to a floppy so that you can quickly the system in the event of a disk error. You should also familiarize yourself with the Recovery Console, install the Recovery Console on your computers, and have a Windows Server 2003 CD available to start Recovery Console if the hard disks are not available. If you have recently created an ASR backup set, you should attempt to repair a problems using ASR before loading Recovery Console. Recover Console should be used when an ASR backup set is not available, or ASR does not resolve the problem. Saving System Files and Settings by Using Automated System Recovery The Backup tool adds a new feature called ASR that enables you to recover from situations where you cannot easily repair system partition damage. ASR works by writing operating system files onto backup media, and hard disk configuration information to floppy disk. If you have a recent ASR backup set to use, you can begin an ASR restore by using the Windows Server 2003 operating system CD to start your computer. During the text-mode setup phase, wait for the Press F2 to run Automated System Recovery (ASR) prompt to appear. Respond to the prompt by pressing F2 and follow the instructions on the screen. Using Recovery Console If you cannot start your computer in or by using the Last Known Good Configuration startup option, you can use Recovery Console. With the local Administrator password, you can use this command-line interface to start recovery tools, start and stop services, access files on hard disks, and perform advanced tasks, such as manually replacing corrupted system files. You can run Recovery Console from the Windows Server 2003 operating system CD, or you can install it as a startup option. Always have the Windows Server 2003 media available so that you can launch Recovery Console when necessary. Infrequently, startup files and critical areas on the hard disk become corrupted. If the corruption is extensive, it might prevent you from starting Windows Server 2003 in normal or safe modes, or from using the installed Recovery Console or using the Last Known Good Configuration 錯誤! 尚未定義樣式。 23

startup option. In these situations, you can run Recovery Console from the Windows Server 2003 operating system CD.

Installing Recovery Console While you can always launch Recovery Console using the Windows Server 2003 operating system CD, you can install the Recovery Console onto the hard disk to allow you to start Recovery Console faster, or in situations where the Windows Server 2003 operating system CD is not accessible, but the hard disk is accessible. Installing the Recovery Console to the hard disk is an option only for 32-bit computers.

Caution Installing the Recovery Console also installs a new boot loader. As a result, if you install the Recovery Console from the Windows XP CD-ROM, you will replace the Windows Server 2003 boot loader, and your system will no longer start successfully. Use caution when installing the Recovery Console on a computer with multiple boot options.

To install Recovery Console as a startup option for 32-bit computers 1. With Windows Server 2003 running, insert the Windows Server 2003 operating system CD into your CD-ROM drive. If the Welcome to Microsoft Windows Server 2003 window appears, click . 2. From the Start menu, click Run, and in the Open box, type cmd. 3. At the command prompt, type: drive:\i386\Winnt32.exe /cmdcons In the preceding command, drive represents the letter of the CD-ROM or network drive that holds the Windows Server 2003 installation files. 4. The Windows Setup dialog appears. Click Yes. Windows Setup installs the Recovery Console. 5. After setup completes, click OK.

Starting Recovery Console You can always launch Recovery Console by booting the computer from the Windows Server 2003 operating system CD, even if the hard disk is not accessible. If the hard disk is accessible, and Recovery Console has been installed on the hard disk, you can launch Recovery Console directly from the operating system selection menu. To start Recovery Console from the operating system selection menu · Restart your computer. Microsoft Windows Recovery Console appears as a menu item in the Windows Server 2003 operating system selection menu. 24 Chapter 9 Troubleshooting Startup

Note When you start your computer by using the bootable Windows Server 2003 operating system CD, Setup checks the hard disk for Windows Server 2003 or another Windows operating system, such as Windows 2000. If an operating system is found, you have the option of bypassing CD-ROM startup by not responding to the Press any key to boot from CD-ROM prompt that appears. If you do not press a key within three seconds, Setup does not run and the computer passes control from the CD-ROM to the hard disk.

If the hard disk is not accessible, or Recovery Console has not been installed on the hard disk, you can launch Recovery Console directly from the Windows Server 2003 operating system CD. To start Recovery Console from the Windows Server 2003 operating system CD 1. Insert the Windows Server 2003 operating system CD into the CD-ROM drive, and restart the computer. When prompted, press a key to start Setup.

Note If Windows Server 2003 setup does not automatically start when your computer is started, verify that another computer can boot from the CD-ROM, your computer is configured to boot from the CD-ROM drive, and you are not experiencing serious hardware problems.

2. At the Setup Notification screen, press ENTER. 3. At the Welcome to Setup screen, press R to select To repair a Windows installation using Recovery Console. A menu that lists one or more Windows 2000, Windows NT, and Windows Server 2003 installations appears. 4. Type the number corresponding to the installation that you want to use, and then press ENTER. 5. At the prompt, enter the password used for the local Administrator account to access the contents of the local hard disk. Recovery Console accepts only the local Administrator account password. From Recovery Console, you can attempt to replace corrupted files with undamaged copies stored on removable disks, such as a floppy disk or the Windows Server 2003 operating system CD. To use the CD-based Recovery Console, you must set the CD-ROM as the primary boot device (the first item listed in the boot order). If the CD-ROM is not listed as a boot order option in the computer firmware, you cannot start your computer by using the Windows Server 2003 operating system CD. Windows Server 2003 does not support starting from a floppy disk. 錯誤! 尚未定義樣式。 25

Startup Troubleshooting Before Product Logo Appears Troubleshooting startup problems is more challenging than troubleshooting problems that occur while Windows is running because you cannot access the full suite of troubleshooting tools included with Windows. However, Windows Server 2003 does provide several tools that you can use to identify the cause and resolve the problem if you cannot start the operating system. First, if you have an ASR disk available, attempt to use ASR to resolve your problem. For more information about ASR, see “Saving System Files and Settings by Using Automated System Recovery” earlier in this chapter. If ASR does not resolve your problem, and the startup process does not progress to the point of displaying the graphical Windows Server 2003 logo, follow the process illustrated in Figure 9.1 for 32-bit systems, or Figure 9.2 for Itanium-based computers. 26 Chapter 9 Troubleshooting Startup

Figure 9.1 Resolving Pre-Logo Startup Problems on 32-bit Computers

錯誤! 尚未定義樣式。 27

Figure 9.2 Resolving Pre-Logo Startup Problems on Itanium-based Computers

If your computer does not display the graphical Windows Server 2003 logo before failing, or it fails before the operating system selection menu appears, another cause for the problem might be a failed hardware component. Repairing Boot.ini Settings on 32-bit Computers The Boot.ini file, which is created during setup in the system partition root, contains the boot entries that Ntldr uses to display the operating system menu. Ntldr displays the operating system menu only if two or more operating systems are configured, or if you press the F8 key. If your computer does not display the operating system menu when it should, or if your computer cannot locate the operating system after you select a from the operating system menu, you might need to rebuild the Boot.ini file. The Boot.ini file includes the path to the boot partition, 28 Chapter 9 Troubleshooting Startup

descriptive text to display, and optional parameters. The Boot.ini file supports multiple installations of Windows operating systems installed in separate partitions. The following is an example of a Boot.ini file:

[boot loader] =30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows Server 2003, Enterprise" /fastdetect

Each Boot.ini file contains two sections: [boot loader] Contains settings that apply to all the Windows installations on a computer. [operating systems] Contains settings that apply to a specific Windows Server 2003 installation on the computer. The default= line in the [boot loader] section points to the default operating system. For multiple-boot computers with different Windows Server 2003 installations, additional entries might appear in the [operating systems] section as shown:

[boot loader] timeout=30 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\Windows="Microsoft Windows Server 2003, Standard" /fastdetect multi(0)disk(0)rdisk(0)partition(2)\Windows="Microsoft Windows Server 2003, Enterprise" /fastdetect

When more than one operating system is installed on a computer, or when you install Recovery Console, a startup menu appears that is similar to the one shown in Figure 9.3. 錯誤! 尚未定義樣式。 29

Figure 9.3 Example of a Startup Menu

Note If only one operating system is installed and if you have not installed Recovery Console, Ntldr loader does not display a startup menu. Instead, the operating system starts immediately unless F8 is pressed.

The Boot.ini file uses the Advanced RISC Computing (ARC) naming convention to define the path to a Windows Server 2003 installation. If the contents of the Boot.ini are incorrectly changed or the file becomes corrupt, you might not be able to start Windows Server 2003. To detect and correct Boot.ini problems you need to understand ARC paths. ARC paths use the following formats: multi(W)disk(X)rdisk(Y)partition(Z)\systemroot="Description" scsi(W)disk(X)rdisk(Y)partition(Z)\systemroot="Description" signature(V)disk(X)rdisk(Y)partition(Z)\systemroot="Description"

Windows Server 2003 can use any of the preceding formats to locate the systemroot directory. Multi() syntax The multi() syntax instructs Windows Server 2003 to rely on system BIOS calls to load system files. To achieve this, Ntldr uses hardware interrupt 13 (also called INT-13) firmware instructions to locate Ntoskrnl.exe and other systemroot files needed to start Windows Server 2003. The 30 Chapter 9 Troubleshooting Startup

multi() Boot.ini syntax is used for all controllers that provide INT-13 support for ATA and SCSI disks. Table 9.10 describes the multi() parameters, which follow this syntax:

multi(W)disk(X)rdisk(Y)partition(Z) Table 9.10 describes the multi() parameters. Table 9.10 Multi()Parameters Parameter Multi Parameter Descriptions W Specifies the drive controller number (also known as the ordinal number), typically 0. The first valid number is 0. X This value is always 0, when the multi() syntax is used. Y Specifies a physical hard disk attached to drive controller W. For ATA controllers, this number is typically between 0 and 3. For SCSI controllers, this number is typically between 0 and 7, or 0 and 15, depending on the adapter type. The first valid number is 0. Z Specifies the partition number on the physical disk specified by parameter Y, attached to the controller specified by parameter W. All partitions in use are assigned a number. The first valid number is 1.

Server 2003Signature() syntax The signature() syntax shares similarities with the scsi() syntax and was implemented to support Plug and Play scenarios where you install additional drive controllers to your computer. Windows Server 2003 Setup determines whether to use the signature() syntax during installation. The signature() syntax is valid for computers equipped with either ATA or SCSI hard disks. The signature() parameters follow this syntax:

signature(V)disk(X)rdisk(Y)partition(Z) The signature() syntax instructs Ntldr to locate the disk with the signature that matches the first value in parentheses, regardless of the controller number associated with the disk. A disk signature is a hexadecimal number that is extracted from information in the MBR and written to the disk during the text-mode portion of Windows Server 2003 Setup or during previous Windows 2000 and Windows Server 2003 installations. This 32-bit hexadecimal number uniquely identifies the disk. If you see the signature() syntax used in the Boot.ini file, it means that Ntbootdd.sys is required to access the boot partition and one or both of the following conditions exist: · You installed Windows Server 2003 to a hard disk partition larger than 7.8 gigabytes (GB) in size, the ending cylinder number is higher than 1024 for that partition, and the system firmware or startup controller BIOS cannot gain access by using extended INT-13 calls. · The hard disk controller BIOS does not support extended INT-13 calls or you have set this option to disabled by using the adapter's built-in setup utility. When Windows Server 2003 is unable to use INT-13 BIOS calls during the startup process, the file Ntbootdd.sys is required to access the boot partition. Whenever possible, configure your storage controller to use INT-13 BIOS calls. Consult the documentation for the storage adapter to determine the correct hardware settings. 錯誤! 尚未定義樣式。 31

Table 9.11 describes the signature()parameters. Table 9.11 Signature()Parameters Parameter Signature() Parameter Descriptions V A 32-bit hexadecimal number extracted from the MBR that identifies the disk. X Specifies a physical hard disk with signature V, attached to any drive controller that uses Ntbootdd.sys. For SCSI controllers, this number is typically between 0 and 7, or 0 and 15, depending on the adapter type. The first valid number is 0. Y This value is always 0. Z The partition number on the physical disk with a signature matching V. The first valid number is 1.

Note The signature() syntax might increase the time required to start Windows Server 2003, depending on the number of controllers and disks present.

NTBootdd.sys file Ntbootdd.sys is a copy of a storage controller device driver that resides on the root of the startup partition. Ntbootdd.sys is used when the Boot.ini specifies the scsi() syntax or when the signature() syntax is used for disk controllers with disabled firmware. The Ntbootdd.sys file can be used for ATA disks, depending upon the type of controller used. Follow the manufacturer's instructions for hardware and driver installation when using add-in Peripheral Component Interconnect (PCI) ATA controllers with Windows Server 2003. Boot.ini parameters and options The Boot.ini file consists of two sections, [boot loader] and [operating systems]. You can customize the startup process by editing these sections. Table 9.12 lists parameters for the [boot loader] section. 32 Chapter 9 Troubleshooting Startup

Table 9.12 Boot.ini [Boot Loader] Parameters Parameter Boot.ini [Boot Loader] Parameter Descriptions Timeout=seconds · Specifies the number of seconds that the startup menu is displayed before the operating system specified in the default= line is loaded. · If you set this value to 0, Ntldr immediately starts the default operating system without displaying the bootstrap loader screen. · If you set this value to –1, Ntldr displays the menu indefinitely unless you make a choice. default= Specifies the ARC path to the default operating system. redirect={com1|com2| For the parameter comx, x indicates the number to use for usebiossettings} Emergency Management Services, typically 1 or 2. The Boot.ini file is not present on Itanium-based computers, however, this option can be configured in NVRAM. For the parameter usebiossettings, instructs Windows Server 2003 to detect and use Serial Port Console Redirection (SPCR) table settings. Emergency Management Services is not enabled if an SPCR table is not detected. This is the default setting for ACPI computers.

Table 9.13 lists commonly used optional parameters that you can append to the ARC paths contained in the [operating systems] section of the Boot.ini file. Table 9.13 Boot.ini [Operating System] Parameters Parameter Description /3GB Specifies for 32-bit computers that the operating system allocate 3 GB of virtual address space to applications and 1 GB to kernel and executive components. An application must be designed to take advantage of the additional memory address space. . /basevideo Directs the operating system to use standard VGA mode (640 x 480 pixel resolution with 256 available colors) for the installed video driver. If you install a new video driver, and it fails to work properly, you can use this parameter to start the operating system. You can then remove, update, or roll back the problem video driver. /baudrate= Specifies the baud rate used for kernel debugging over a serial port. The default baud rate is 19200 kilobits per second (Kbps). Valid baudrates are 9600, 19200, 38400, 57600, 115200 kbps. Including this parameter in the Boot.ini file implies the / parameter. /bootlog Enables boot logging to a file called systemroot\Ntbtlog.txt. /crashdebug Loads the Windows kernel debugger when you start Windows Server 2003 but it remains inactive until a Stop message error occurs. This parameter is useful if you experience random kernel errors. /debug Loads the Windows kernel debugger when you start Windows Server 2003. 錯誤! 尚未定義樣式。 33

/debugport={com1|com2|13 Specifies the communication port for kernel debugging, typically com1, 94} com2, or 1394. Using this parameter in the Boot.ini file implies the /debug parameter. /emsbaudrate:value Sets the baud rate for Emergency Management Services. 9600 Kbps baud is the default, with other values of 19200 Kbps, 57600 Kbps, and 115200 Kbps possible, depending upon the capabilities of the serial port. This must be used with /redirect= in the [boot loader] section, otherwise this parameter is ignored. /fastdetect Turns off serial and bus mouse detection in Ntdetect.com. Use if you have a component other than a mouse attached to a serial port during the startup process. If you use /fastdetect without specifying a communication port, serial mouse detection is disabled on all communication ports. /nolowmem Causes Ntkrnlpa.exe to load all applications and device drivers beyond the first 4 GB. It is useful for testing device driver compatibility on large memory computers. Used only on computers that have more than 4 GB of RAM and the /pae Boot.ini parameter activated. /pae Enables 32-bit computers to address more than 4 GB of memory (up to 64 GB). Physical address extensions (PAEs) allow an application to access more memory. This parameter is only valid for 32-bit computers running Windows Server 2003 Enterprise Edition and Windows Server 2003 Datacenter Edition. This parameter does not apply to Itanium-based computers. A related parameter, /nopae, forces Ntldr to load the non-Physical Address Extension version of the Windows kernel, even if the computer is detected as supporting 32-bit PAEs and has more than 4 GB of physical memory. /pcilock For 32-bit computers, stops the operating system from dynamically assigning hardware input and-output, and interrupt request resources to PCI devices. Allows the BIOS to configure the devices. /redirect Instructs Windows Server 2003 to enable EMS. This is similar to the /redirect parameter in the [boot loader] section, but enables EMS after the operating system has been selected. /safeboot:parameter Forces a start in safe mode by using the specified parameters. The available parameters are: 1. minimal · network · safeboot:minimal (alternate shell) You can combine other Boot.ini parameters with the /safeboot: parameter. The following examples illustrate the parameters that are in effect when you select a safe mode option from the startup recovery menu. · Safe Mode with Networking 34 Chapter 9 Troubleshooting Startup

/safeboot:minimal /sos /bootlog /noguiboot · Safe Mode with Networking /safeboot:network /sos /bootlog /noguiboot · Safe Mode with Command Prompt /safeboot:minimal(alternateshell) /sos /bootlog /noguiboot

/sos Displays the names of each device driver as it loads. Use when startup fails (while loading drivers) to determine which driver is failing to load.

Editing and repairing the Boot.ini file When you install Windows Server 2003, the hidden for Boot.ini is set by default. To edit the Boot.ini file, you can use the following tools: · Bootcfg.exe · System Configuration Utility (Msconfig.exe) · System Properties · A text editor (such as Notepad.exe)

Important Always make a backup copy of the Boot.ini file before editing it.

To use Bootcfg.exe to view or edit the Boot.ini file · To view the contents of the Boot.ini file, at the command prompt type bootcfg /query · To edit the Boot.ini file, use the bootcfg /Addsw or bootcfg /Rmsw command to change Boot.ini options. For a list of parameters, at the command prompt type bootcfg /? Bootcfg.exe is a new command-line tool for Windows Server 2003 and Windows XP Professional. To use the System Configuration Utility to edit the Boot.ini file 1. In the Run dialog box, type , and then click OK. 2. Click the BOOT.INI tab. You can individual Boot.ini lines up or down, or you can add Boot Options settings to each ARC path by selecting the check box associated with each parameter. To use System Properties to edit the Boot.ini file. 1. Click Start, highlight , and then click System. 2. Click the Advanced tab, and in the Startup and Recovery box, click Settings. 3. To change the default operating system, select from the options listed in Default operating system. To edit the Boot.ini file manually, click Edit in the System Startup area. 錯誤! 尚未定義樣式。 35

Clicking Edit causes Notepad to read the contents of Boot.ini for editing. For multiple-boot computers, the option that you select in Default operating system, updates the Boot.ini default= ARC path entry in [boot loader]. To use Notepad or another text editor to edit the Boot.ini file 1. In the Run dialog box, type notepad (or another text-editing program that you prefer to use) at the command prompt. 2. On the File menu, click Open, and then specify %systemdrive%\Boot.ini. The %systemdrive% represents the drive letter assigned to the system partition. When you install Windows Server 2003, the hidden, system, and read only file attributes for the systemdrive\Boot.ini file are set by default. Before using Notepad for the preceding procedure, you need to clear these attributes by typing %systemdrive%\boot.ini -h –s -r at the command prompt. Replacing a damaged Boot.ini file If your computer fails to start due to a damaged Boot.ini file, you can use the following methods to replace the file or to correct errors. The bootcfg command is a new addition to Recovery Console. To use Recovery Console bootcfg command to rebuild a Boot.ini file (Automatic Method) 1. Start Recovery Console. 2. At the Recovery Console prompt, type bootcfg /rebuild. Windows Server 2003 scans the hard disks on your computer and checks for Windows installations. For each Windows installation, bootcfg prompts you to add it to the boot list, enter a load identifier, and specify load options as shown:

C:\WINDOWS>bootcfg /rebuild

Scanning all disks for Windows installations.

Please wait, since this may take a while...

The Windows installation scan was successful.

Note: These results are stored statically for this session. If the disk configuration changes during this session, in order to get an updated scan, you must first reboot the machine and then rescan the disks.

Total identified Windows installs: 1

[1]: C:\WINDOWS Add installation to boot list? (Yes/No/All): y Enter Load Identifier: Windows Server 2003 Enterprise Edition Enter OS Load Options: /fastdetect If a Boot.ini file currently exists, Bootcfg adds the entries to the beginning of the file. Otherwise, bootcfg rebuilds the Boot.ini file. 36 Chapter 9 Troubleshooting Startup

Note The Recovery Console bootcfg command is not the same as the Windows Server 2003 Bootcfg.exe command-line tool. Bootcfg.exe resides in thesystemroot\System32 folder and is a standalone command-line tool that you cannot use in Recovery Console.

To use Recovery Console to create a new Boot.ini (Manual Method) 1. Start Recovery Console. 2. For more information about installing and using Recovery Console, see “Using Recovery Console” later in this chapter. 3. From the Recovery Console prompt, type: map A list containing hard disk and partition information for Windows Server 2003 and other operating systems, such as Windows 2000 and Windows NT 4.0, appears as shown below. Record and use this information to correct errors to an existing Boot.ini file, or to create a new Boot.ini file by using a text editor, such as Notepad, on another computer. (You must use another computer because the Recovery Console does not provide text-editing tools.)

C:\WINDOWS>map

C: NTFS 16378MB \Device\Harddisk0\Partition1 A: \Device\Floppy0 D: \Device\CdRom0

When you are trying to copy an existing Boot.ini file to a floppy disk to edit on another computer, be aware that floppy disk write access is disabled by default. For information about using the Recovery Console to enable write access to floppy disks, see article 235364, “Description of the SET Command in Recovery Console. To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Repairing NVRAM Startup Settings on Itanium-based Computers Unlike 32-bit computers, Itanium-based computers do not require a Boot.ini file to track ARC paths to Windows Server 2003 installations and startup options. Instead, Windows Server 2003 writes this information to NVRAM during installation, and the EFI boot manager displays a menu with these options when you start your computer. You can manage NVRAM settings by using the following tools: · Bootcfg.exe · Nvrboot.efi 錯誤! 尚未定義樣式。 37

Bootcfg.exe Bootcfg.exe is a command-line tool that allows you to add or change Windows Server 2003 startup parameters stored in NVRAM. Always use Bootcfg.exe to avoid typing errors that can occur when manually editing settings. For more information about using Bootcfg.exe to modify NVRAM, see article 303980, “How to Modify the Nonvolatile Random Access Memory by Using the Bootcfg.exe Tool.” To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Nvrboot.efi To safeguard against corrupted NVRAM data, Setup writes the boot manager entry that corresponds to a specific installation to a file named BootNNNN. Table 9.14 describes a possible scenario where BootNNNN files are written to disk after you install Windows Server 2003 three times on the same computer (as part of a multiple-boot configuration). In addition, separate WINNT50.x folders exist for each Windows Server 2003 installation. Table 9.14 WINNT50.x Folder and BootNNNN File Details and Locations Attribute File Details and Locations Installation First Second Third BootNNNN Boot0004 Boot0005 Boot0006 Disk location EFI\Microsoft\WinNT50 EFI\Microsoft\WinNT50.0 EFI\Microsoft\WinNT50.1 for \Winnt50.x folder

In the preceding table, the value of x can vary. For example, if you have also installed two non- Windows operating systems on the computer, the values for x in Table 9.14 could be 3, 4, and 5, representing three successive Windows Server 2003 installations performed. Setup determines the value of NNNN based on the NVRAM boot id entry used during installation, and the value of NNNN depends on the number of boot entries present. Therefore, it is possible for identically named BootNNNN files to exist in two different EFI\Microsoft\WINNT50.x directories. You can recover from problems caused by corrupted or deleted NVRAM settings by using Nvrboot.efi, which is a menu-driven tool. The Nvrboot.efi tool enables you to restore boot manager startup options saved to BootNNNN files. If the boot manager option that allows you to select one or more Windows Server 2003 installations is missing, Nvrboot.efi enables you to restore any or all entries by doing the following: · Importing individual BootNNNN files that are stored inWinNT50.x folders. · Exporting some or all EFI boot manager entries to a user-specified location. You can then use the backups generated by Nvrboot.efi to restore missing NVRAM entries. The steps that you must follow to run Nvrboot.efi vary by computer manufacturer. For more information about starting and using Nvrboot.efi, review your computer documentation. Methods that the EFI boot manager might provide to start Nvrboot.efi include startup menu items similar to the following: 38 Chapter 9 Troubleshooting Startup

· EFI Shell. Selecting this option enables you to navigate to the MSUtil folder on the EFI System partition. From the EFI command-line, type: nvrboot · Other Options. Choosing this option might display a submenu from which you can select the option to start the EFI shell.

Note Windows Server 2003 does not update BootNNNN files in EFI\Microsoft\WinNT50.x folders when you from basic to dynamic disks. You must manually export the boot menu entry corresponding to a Windows Server 2003 installation and overwrite the previous versions originally created by Setup. You also need to update NVRAM backup files saved to other folders.

For more information about using Nvrboot.efi, see article 298872, “How to Modify NVRAM with Nvrboot.efi.” To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Repairing the Boot Sector and Master Boot Record If you have replaced your boot disk, added a new disk, installed a new operating system, or been infected with a virus, and your computer is not reaching the operating system choice menu, you might need to repair the master boot record and the boot sector. The computer uses the master boot record and the boot sector together to determine the location of Ntldr, which in turn starts Windows Server 2003. To create a new boot sector 1. Start Recovery Console. 2. At the Recovery Console prompt, type fixboot volume. 3. When prompted, type Y, and then press Enter. For example, to write a new partition boot to the C:\ drive, issue the following command:

fixboot C:

To repair the master boot record 1. Start Recovery Console. 2. At the Recovery Console prompt, type fixmbr. To specify a device other than the boot device, type:

fixmbr device 3. When prompted, type Y, and then press Enter. 錯誤! 尚未定義樣式。 39

Replacing Windows 32-bit Version Startup Files If startup files become corrupted, Windows Server 2003 cannot start successfully. When this happens, the correct course of action is to use Recovery Console to replace those startup files. To replace startup files 1. Insert the Windows Server 2003 System CD, and then restart your computer. 2. Start Recovery Console as described in “Starting Recovery Console” in this chapter. 3. After Recovery Console starts, you can replace system files as needed. · For single processor systems, issue the following commands if your Windows Server 2003 CD is the D: drive, otherwise, replace D: with the drive letter assigned to your CD. For each command, you might be prompted to overwrite the destination file. For each prompt, type y, and then press Enter:

CD System32

Expand D:\i386\ntoskrnl.ex_

Expand D:\i386\hal.dl_ · For multiple processor systems, issue the following commands if your Windows Server 2003 CD is the D: drive, otherwise, replace D: with the drive letter assigned to your CD. For each command, you might be prompted to overwrite the destination file. For each prompt, type y, and then press Enter:

CD System32

Del ntoskrnl.exe

Expand D:\i386\ntkrnlmp.ex_

Rename ntkrnlmp.exe ntoskrnl.exe

Expand D:\i386\halmps.dl_

Rename halmps.dll hal.dll 4. If your system volume is different from your boot volume, change the current path to the boot volume by typing the drive letter of the boot volume, followed by a colon. For example, if you need to switch to the C: drive, type C:. 5. Switch to the root of the boot volume by typing CD \. 6. Issue the following commands if your Windows Server 2003 CD is the D: drive, otherwise, replace D: with the drive letter assigned to your CD. For each command, you might be prompted to overwrite the destination file. For each prompt, type y, and then press Enter:

Copy D:\i386\

Copy D:\i386\ntdetect.com 40 Chapter 9 Troubleshooting Startup

Replacing Itanium-based Windows Server 2003 Startup Files If startup files become corrupted, Windows Server 2003 cannot start successfully. When this happens, the correct course of action is to use Recovery Console to replace those startup files. To replace startup files 1. Insert the Windows Server 2003 System CD, and then restart your computer. 2. Start Recovery Console as described in “Starting Recovery Console” in this chapter. After Recovery Console starts, you can replace system files as needed. Issue the following commands if your Windows Server 2003 CD is the D: drive, otherwise, replace D: with the drive letter assigned to your CD. For each command, you might be prompted to overwrite the destination file. For each prompt, type y, and then press Enter:

cd system 32 copy d:\ia64\ntkrnlmp.exe Expand d:\ia64\hal.ex_ Startup Troubleshooting After Product Logo Appears If your computer displays the graphical Windows Server 2003 logo before failing, use the process illustrated in Figure 9.4 to identify and disable the failing software component to allow Windows to start successfully. Once Windows starts, you can perform further troubleshooting to resolve the problem with the component if necessary. If the startup problem occurs immediately after updating or installing a startup application, try troubleshooting the startup application. For information about troubleshooting startup applications, see “Temporarily Disabling Startup Applications and Processes” later in this chapter. 錯誤! 尚未定義樣式。 41

Figure 9.4 Resolving Post-Kernel Startup Problems

42 Chapter 9 Troubleshooting Startup

If the startup problem occurs immediately after updating or installing an application, you can restore previous system settings by using the following features: 1. Use the Last Known Good Configuration. 2. Undo a device driver update by rolling back a driver. The preceding options are not limited to troubleshooting startup problems, but also apply to any problem affecting the operating system. If you are still unable to start your computer in normal mode, you can restart your computer in safe mode and disable services and software that might be interfering with the startup process. If the problem prevents you from starting in safe mode, you can try the following: 1. Use Recovery Console to replace corrupted files or to perform other manual recovery operations. 2. Examine and correct the following: · Boot.ini settings on 32-bit computers. · NVRAM startup settings on Itanium-based computers. 3. Perform a parallel Windows Server 2003 installation and use Backup to restore operating system files from backup media. 4. Use ASR in Windows Server 2003 Backup to reformat the system partition and restore operating system files from backup media. If none of the processes described or referenced in this section solves the startup problems, as a last resort you can try the procedures in “Other Troubleshooting Startup Procedures.” Restoring to the Last Known Good Configuration Last Known Good Configuration is usually used to enable the operating system to start if it fails after the product logo is displayed. Using Last Known Good Configuration helps to correct instability or startup problems by reversing the most recent system, driver, and registry changes within a hardware profile. When you use this feature, you lose all configuration changes that were made since you last successfully started your computer. Using the Last Known Good Configuration restores previous drivers and also restores registry settings for the subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet. Windows Server 2003 does not update the LastKnownGood control set until you successfully start the operating system in normal mode and log on. When you are troubleshooting, it is recommended that you use Last Known Good Configuration before you try other start up options, such as safe mode. However, if you decide to use safe mode first, logging on to the computer in safe mode does not update the Last Known Good control set. Therefore, Last Known Good Configuration remains an option if you cannot resolve your problem by using safe mode. 錯誤! 尚未定義樣式。 43

To access the Last Known Good Configuration startup option 1. Remove all floppy disks and CDs from your computer, and restart your computer. 2. Press F8 at the operating system menu. If the operating system menu does not appear, press F8 after the firmware POST process completes but before Windows Server 2003 displays graphical output. The Windows Advanced Options menu appears, as shown in Figure 9.5. 3. On the Windows Advanced Options menu, select Last Known Good Configuration. When Windows Server 2003 starts, it reads status information from the file systemroot\Bootstat.dat. If Windows Server 2003 detects that the last startup attempt was unsuccessful, it automatically displays the startup recovery menu which provides startup options similar to the Windows Advanced Options menu, without requiring you to press F8. Figure 9.5 Startup Options When Your Computer Cannot Start

Caution If you suspect that changes made since you last successfully restarted the computer are causing problems, do not start Windows and log on normally because logging on causes the Last Known Good Configuration control set to be overwritten. Instead, restart the computer and use the Last Known Good Configuration. You can also log on in Safe Mode without overwriting the Last Known Good Configuration. For more information about control sets, see “Kernel Loading Phase” earlier in this chapter. 44 Chapter 9 Troubleshooting Startup

Enabling Boot Logging Boot logging is useful for isolating the cause of a startup problem that occurs after the operating system menu appears. To enable boot logging You can enable boot logging by using either of these methods: 1. On 32-bit systems, and any system that uses a boot.ini file, open a command prompt, and execute bootcfg at the command prompt. 2. Identify the boot entry ID of the operating system instance you are troubleshooting. If you have only one operating system installed, the entry ID is 1. 3. Execute the command bootcfg /RAW “/bootlog” /A /ID boot_entry_ID. 4. Restart the computer. - or - 5. Restart the computer. 6. Press F8 when prompted. 7. On the Windows Advanced Options Menu, select Enable Boot Logging. 8. At the operating system menu, Enable Boot Logging is displayed at the bottom of the screen. Select the default operating system choice to start Windows Server 2003 with boot logging enabled. Starting in Safe Mode Safe mode is a diagnostic environment that runs only a subset of the drivers and services that are configured to start in normal mode. Safe mode is useful when you install software or a device driver that causes instability or problems with starting in normal mode. Often, Windows can start in safe mode even if hardware failure prevents it from starting in normal mode. In most cases, safe mode allows you to start Windows Server 2003 and then troubleshoot problems that prevent startup. Logging on to the computer in safe mode does not update the LastKnownGood control set. Therefore, if you log on to your computer in safe mode and then decide you want to try Last Known Good Configuration, this option is still available to you. In safe mode, Windows Server 2003 uses the minimum set required to start the (GUI). The following registry subkeys list the drivers and services that start in safe mode: · Safe mode HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal · Safe mode with networking HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Network 錯誤! 尚未定義樣式。 45

To access safe mode 1. Remove all floppy disks and CDs from your computer, and restart your computer. 2. Press F8 after the firmware POST process completes but before Windows Server 2003 displays graphical output. The Windows Advanced Options menu appears, as shown in Figure 9.5. 3. On the Windows Advanced Options menu, select Safe Mode, Safe Mode with Networking, or Safe Mode with Command Prompt. Select Safe Mode if you do not require networking support. Select Safe Mode with Networking if you require access to the network for your troubleshooting—for example, if you must download an updated driver. SELECT Safe Mode with Command Prompt if Safe Mode does not start correctly. When Windows Server 2003 starts, it reads status information from the file systemroot\Bootstat.dat. If Windows Server 2003 detects that the last startup attempt was unsuccessful, it automatically displays the startup recovery menu which provides startup options similar to the Windows Advanced Options menu, without requiring you to press F8. Identifying Failing Drivers and Services When you are troubleshooting, the method for determining which services and processes to temporarily disable varies from one computer to the next. The most reliable way to determine what you can disable is to gather more information about the services and processes enabled on your computer. These Windows Server 2003 tools and features generate a variety of logs that can provide you with valuable troubleshooting information: · · Sc.exe · System Information · Error Reporting service · Boot logs Event Viewer (Eventvwr.msc) You can use Event Viewer (Eventvwr.msc) to view logs that can help you to identify system problems when you are able to start the system in safe or normal mode. When you are troubleshooting, use these logs to isolate problems by application, driver, or service, and to identify frequently occurring issues. You can save these logs to a file and specify filtering criteria. Event Viewer provides a minimum of three logs for computers running Windows Server 2003: · Application logs. The application log contains events logged by applications or programs. For example, a database program might record read or write errors here. · Security logs. The security log holds security event records, such as logon attempts and actions related to creating, opening, or deleting files. An administrator can specify what events to record in the security log. 46 Chapter 9 Troubleshooting Startup

· System logs. The system log contains information about system components. Event Viewer logs an entry when a driver or other system component does not load during startup. Therefore, you can use Event Viewer to search for information about drivers or services that did not load.

· Additionally, Microsoft® Active Directory® domain controllers have three additional logs: Directory Service, DNS Server, and . These log files do not typically contain events relating to startup problems, however. To use Event Viewer to obtain driver and service error information from the System log 1. Click Start, point to Administrative Tools, and click Event Viewer. 2. Click System, and on the View menu, click Filter to open the System Properties dialog box. 3. Under Event types, click to clear the Information and Warning check boxes. 4. In the Event source list, click Service Control Manager, and then click OK. 5. Double-click an event entry to view details. A related command-line tool, Event Query (Eventquery.vbs), enables you to search the event logs by using specified criteria. For troubleshooting, using Event Query enables you to view the Event logs for entries related to specified event properties, including date and time, event ID, and user name. Sc.exe For identifying failed services while using Safe Mode With Command Prompt, the sc query command is the most helpful. The report that follows is a small fraction of the information you can obtain by typing sc query at the command prompt:

SERVICE_NAME: winmgmt DISPLAY_NAME: Windows Management Instrumentation TYPE : 20 WIN32_SHARE_PROCESS STATE : 4 RUNNING (STOPPABLE, PAUSABLE, ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0

System Information If a startup problem occurs inconsistently and if you can start Windows Server 2003 in safe or normal mode, you can use System Information to view driver and service name, status, and startup information. System Information enables you to create lists of drivers that were processed during safe and normal mode startup. By comparing the differences between the two lists, you can determine which components are not required to start Windows Server 2003. For diagnostic purposes, you can use this list of differences to help you determine which services to disable. In safe mode, disable a service and then try to restart the operating system in normal mode. Repeat this process for each service until you are able to start in normal mode. 錯誤! 尚未定義樣式。 47

To view service or driver information 1. In the Run dialog box, type msinfo32, and then click OK. 2. Do any of the following: · To view service information, double-click Software Environment, and then click Services. · To view the state of a driver, double-click Software Environment, and then click System Drivers. Information for each driver is in the State column. · To view driver information arranged by category, double-click Components and then double-click a category, such as Storage. A related tool, Systeminfo.exe, enables you to view system information, such as processor type, firmware version, and network information, from the command prompt. Error Reporting Service Windows Server 2003 provides a service that monitors your computer for problems that affect services and applications. When a problem occurs, you can send a problem report to Microsoft and receive an automated response with more information, such as news about an update for an application or device driver. Boot Logs Boot logging lists the files that successfully and unsuccessfully processed during startup. Boot logging enables you to log the Windows Server 2003 components that are processed when you start your computer in safe mode and also in normal mode. By comparing the differences between the two logs, you can determine which components are not required to start. Windows Server 2003 records in a log, windir\Ntbtlog.txt, the name and path of each file that runs during startup. The log marks each file as successful (Loaded driver) or unsuccessful (Did not load driver). Boot logging appends entries to Ntbtlog.txt when you start Windows in safe mode. Comparing normal mode and safe mode entries enables you to determine which services run in normal mode only. The following lines are sample Ntbtlog.txt entries:

Loaded driver \SystemRoot\System32\DRIVERS\flpydisk.sys Did not load driver \SystemRoot\System32\DRIVERS\sflpydisk.SYS To repair problems caused by problematic drivers when the system starts in Safe Mode 1. Restart the system and press F8 at the operating system menu. If the operating system menu does not appear, press F8 as the system begins startup. 2. From the Windows Advanced Options Menu, select Enable Boot Logging. 3. At the operating system menu, Enable Boot Logging is displayed at the bottom of the screen. Select the default operating system choice to start Windows Server 2003 with boot logging enabled. 4. After the system fails, restart the system and press F8 at the operating system menu. If the operating system menu does not appear, press F8 as the system begins startup. 48 Chapter 9 Troubleshooting Startup

5. From the Windows Advanced Options Menu, highlight Safe Mode, Safe Mode with Networking, or Safe Mode with Command Prompt and press Enter. Boot logging is automatically enabled in these modes. 6. After safe mode starts, log on to the system. 7. Click Start and select Run. 8. In the Run dialog, type %windir%\ntbtlog.txt. The boot log file opens in Notepad. 9. Compare the list of drivers loaded in normal mode to the list of drivers loaded in safe mode. The driver that is causing the system to fail is one of the drivers listed with Loaded driver in the normal mode boot log, but listed with Did not load driver in the safe mode boot log. 10. Use Device Manager to replace or roll-back potentially problematic drivers as described in “Rolling Back Drivers” later in this chapter. Start by replacing drivers that have been recently installed or updated. After replacing a driver, repeat this process until the system starts successfully in normal mode. To repair problems caused by problematic drivers when the system does not start in Safe Mode 1. Restart the system and press F8 at the operating system menu. If the operating system menu does not appear, press F8 as the system begins startup. 2. From the Windows Advanced Options Menu, highlight Safe Mode, Safe Mode with Networking, or Safe Mode with Command Prompt and press Enter. Boot logging is automatically enabled in these modes. 3. After the system fails, restart the system and start Recovery Console. For detailed instructions, refer to “Starting Recovery Console” in this chapter. 4. Log onto the Windows installation you are troubleshooting, and enter the Administrator password when prompted. 5. At the Recovery Console prompt, in the system root, type: type ntbtlog.txt. The computer displays the boot log. The boot.log file contains a line for each service or driver that includes the service or driver name, startup type, and possibly a friendly driver or service name. Record the name of the driver or service that you want to enable or disable. 6. Press the space bar repeatedly until the entire boot log file is displayed. 7. Compare the boot log created when the system failed to start in safe mode to a boot log created when the system started successfully in safe mode. If you do not have a boot log that was created when the system started successfully in safe mode, create a boot log on a similarly configured computer by starting it in safe mode. The driver that is causing safe mode to fail is one of the drivers that is not listed in the boot log that was created when the system failed, but is listed with Loaded driver in the boot log created when safe mode started successfully. 8. If possible, replace the driver with a working version using Recovery Console. If a working version of the driver is not available, use Recovery Console to disable the driver as described in “Disabling Services and Drivers by Using Recovery Console” in this chapter. Start by replacing or disabling drivers that have been recently installed or updated. After replacing a driver, repeat this process until the system starts successfully in normal mode. 錯誤! 尚未定義樣式。 49

If you cannot start your computer in normal mode, start it in safe mode. For the services that run only in normal mode, disable those services one at a time, trying to restart your computer in normal mode after you disable each service. Continue to individually disable services until your computer starts in normal mode.

Determining Service Dependencies Some services and drivers that rely on other components are initialized before starting. If a service or driver does not start, the cause might be a dependency requirement that is not met. You can obtain a list of dependencies by using any of the following methods: · Use the Sc enumdepend command. · Start the Services tool, double-click the service you want information about, and then click the Dependencies tab. · Navigate to the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename and examine the information stored in the registry entries DependOnGroup and DependOnService. You can also check the Event Viewer System log to obtain information about services that do not start due to dependency issues. For more information about adding or changing service dependencies for troubleshooting purposes, see article 193888, “How to Delay Loading of Specific Services.” To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Rolling Back Drivers When you update a device driver, your computer might have problems that it did not have with the previous version. For example, installing an unsigned device driver might cause the device to malfunction or cause resource conflicts with other installed hardware. Installing faulty drivers might cause Stop errors that prevent the operating system from starting in normal mode. Typically, Stop message text displays the file name of the driver that causes the error. Windows Server 2003 provides a feature, Device Driver Roll Back that might help you restore system stability by rolling back a driver update.

Note You can use System Information or the Sigverif tool to determine if a driver on your computer is signed and to obtain other information about the driver, such as version, date, time, and manufacturer. This data, combined with information from the manufacturer's website, can help you decide whether to roll back or update a device driver.

50 Chapter 9 Troubleshooting Startup

To roll back a driver 1. Click Start, highlight Control Panel, and then click System. 2. Click the Hardware tab, and then click Device Manager. 3. Expand a category (Network adapters, for example), and then double-click a device. 4. Click the Driver tab, and then click Roll Back Driver. You are prompted to confirm that you want to overwrite the current driver. Click Yes to roll back the driver. The roll back process proceeds, or you are notified that an older driver is not available.

Note You can also open the System Properties box from the Start menu by clicking Run and typing sysdm.cpl in the Run dialog box. Some Control Panel tools are stored in the systemroot\System32 folder and use a .cpl file-name extension. You can start frequently used Control Panel tools from the Run dialog box or by creating shortcuts. Other frequently used programs that you can start from the Start menu include Appwiz.cpl (Add or Remove Programs), Hdwwiz.cpl (Add Hardware Wizard), and .cpl (Power Options Properties).

Temporarily Disabling Services Many services automatically run at startup, but others are started only by users or by another process. The operating system, the drivers, and the applications that are loaded on a computer determine the services that run. For example, two Windows Server 2003 computers with identical hardware installed can be running different services if they have a different set of applications installed. When you troubleshoot startup issues that are related to system services, a useful technique is to simplify your computer configuration so that you can reduce system complexity and isolate operating system services. To decrease the number of variables, temporarily close applications or services and start them one at a time until you reproduce the problem. Always close applications first, before attempting to disable system services.

Disabling Services by Using System Configuration Utility The System Configuration Utility allows you to disable system services individually or several at a time. You can also disable certain services that do not use the registry to store configuration information but that instead, use the System.ini file. For example, on 32-bit computers, you can use this tool to disable 16-bit services. To disable a service by using the System Configuration Utility 1. From the Start menu, click Run, and then type msconfig. 錯誤! 尚未定義樣式。 51

2. Do one of the following: · To disable services, on the General tab, click Selective Startup, and then click to clear the Load System Services check box. · To disable specific services, on the Services tab, click to clear the check boxes that correspond to the items you want to disable. You can also click Disable All to disable all items. If you change any startup setting by using the System Configuration Utility, Windows Server 2003 prompts you to return to normal operations the next time you log on. A prompt and the System Configuration Utility appear each time you log on until you restore the original startup settings by clicking Normal Startup under Startup Selection on the General tab. To permanently change a startup setting, use Control Panel, change a Group Policy setting, or uninstall the software that added the service.

Disabling Services and Drivers by Using Recovery Console If you are unable to start Windows Server 2003 in normal or safe modes, the cause might be an incorrectly configured driver or service that has caused a Stop message. A Stop message might provide information about the service or driver name, such as a file name. You can also compare the boot log of a system that cannot to the boot log of a similar system that does start successfully to reveal the problematic service or driver. By using Recovery Console, you can disable the problem component, which can allow the Windows Server 2003 startup process to continue in normal or safe mode. To enable or disable services or drivers 1. Start Recovery Console. 2. At the Recovery Console prompt, type listsvc. The computer displays the service or driver name, startup type, and possibly a friendly driver or service name. Record the name of the driver or service that you want to enable or disable. 3. To disable a service or driver, type:

disable name 4. To enable a service or driver, type:

enable name start_type Possible values for start_type are: · SERVICE_BOOT_START · SERVICE_SYSTEM_START · SERVICE_AUTO_START · SERVICE_DEMAND_START 52 Chapter 9 Troubleshooting Startup

Disabling Services by Using the Services Snap-in When diagnosing startup problems, you should use the System Configuration Utility to temporarily disable services. The System Configuration Utility automatically records the original settings for the service, and reminds you to restore the original settings each time you logon. If you determine that you must permanently disable a service, use the Services snap-in (Services.msc) or the Sc command in safe and normal modes to view service information or to disable a service that is causing problems. You must have administrator permissions to disable or change the service startup type. Certain startup changes are not in effect until you restart the computer. To disable a service by using the Services snap-in 1. In the Run dialog box, type services.msc, and then click OK. As Figure 9.6 shows, the Services snap-in displays the name, description, status, and startup type for each service. 2. Double-click a service name and then click the General tab. Record the setting for Startup type so that you can later restore the original value if you find that the change was not helpful. 3. Change the Startup type to Disabled. After disabling the service, try to start your computer in normal mode. If Windows starts in normal mode, you can research a permanent solution to the problem by checking technical information resources. Startup type settings remain in effect even after you restart Windows. You must use the Services snap-in or the Sc command to restore the original Startup type setting. On the General tab of the Services snap-in, you can specify the following startup types for services: · Automatic. The operating system automatically starts the service. · Manual. A user or another service starts the service. · Disabled. The service does not start. 錯誤! 尚未定義樣式。 53

Figure 9.6 Services Snap-in

Disabling Services by Using Sc.exe As an alternative to using the Services snap-in, you can use Sc.exe, a command-line tool that communicates with the Service Control Manager and displays information about services running on your computer. Sc.exe can be used when troubleshooting issues using Safe Mode with Command Prompt. Sc.exe enables you to gather the same type of information obtainable from the Services snap-in and to perform many functions including: · Disable a service by using the sc config command. · Display service information, such as start type and whether you can pause or end a service. · Change the Startup type of a service. · Start, pause, or resume a service. Troubleshooting Startup Problems After Logon If your computer fails immediately after a user logs on, use the process illustrated in Figure 9.7 to identify and disable the failing startup application to allow the user to logon successfully. If the problem occurs immediately after updating or installing an application, try uninstalling that application. 54 Chapter 9 Troubleshooting Startup

Figure 9.7 Resolving Post-Logon Startup Problems

Temporarily Disabling Startup Applications and Processes If a problem occurs after installing new software, you can temporarily disable or uninstall the application to verify that the application is the source of the problem. Problems with applications that run at startup can cause logon delays or even prevent you from completing Windows Server 2003 startup in normal mode. The following subsections provide techniques for temporarily disabling startup applications. 錯誤! 尚未定義樣式。 55

Disabling Startup Applications by Using the SHIFT Key One way you can simplify your configuration is to disable startup applications. By holding down the SHIFT key during the logon process you can prevent the operating system from running startup programs or shortcuts in the following folders: · systemdrive\Documents and Settings\Username\Start Menu\Programs\Startup · systemdrive\Documents and Settings\All Users\Start Menu\Programs\Startup · windir\Profiles\Username\Start Menu\Programs\Startup · windir\Profiles\All Users\Start Menu\Programs\Startup The windir\Profiles folders exist only on computers that are upgraded from Windows NT 4.0. To disable the applications or shortcuts in the preceding folders, you must hold down the SHIFT key until the desktop icons appear. Holding down the SHIFT key is a better alternative than temporarily deleting or moving programs and shortcuts because this procedure only affects the current user session. To use the SHIFT key to disable applications and shortcuts in startup folders 1. Log off the computer. 2. In the Welcome to Windows dialog box, press CTRL+ALT+DEL. 3. In the Log On to Windows dialog box, type your user name and password, and then click OK. 4. Immediately hold down the SHIFT key. The mouse cursor changes shape from a plain pointer, to a pointer with an hourglass (it might do this several times). 5. Continue to hold down the SHIFT key until the Windows Server 2003 desktop icons appear and the mouse cursor stops changing shape.

Disabling Startup Programs by Using the System Configuration Utility System Configuration Utility allows you to disable startup applications individually or several at a time. You can also disable certain startup programs that do not use the registry to store configuration information but that instead, use the Win.ini file. For example, on 32-bit computers, you can use this tool to disable 16-bit applications. To disable a startup program by using the System Configuration Utility 1. In the Run dialog box, type msconfig, and then click OK. 2. To disable startup applications, select the General tab, click Selective Startup, and then clear the Process WIN.INI File and Load Startup Items check boxes. –or– To disable specific startup items, select the Startup or WIN.INI tabs, and then click to clear the check boxes that correspond to the items you want to disable. You can also click Disable All on the Startup or WIN.INI tabs to disable all items on each tab. 56 Chapter 9 Troubleshooting Startup

If you change any startup setting by using the System Configuration Utility, Windows Server 2003 displays the following message when you log on:

You have used the System Configuration Utility to make changes to the way Windows starts. The System Configuration Utility is currently in Diagnostic or Selective Startup mode, causing this message to be displayed and the utility to run every time Windows starts. Choose the Normal Startup mode on the General tab to start Windows normally and undo the changes you made using the System Configuration Utility.

The preceding message and the System Configuration Utility continue to appear each time you logon until you restore the original startup settings by clicking Normal Startup under Startup Selection in the General tab. To permanently change a startup setting, you must move or delete startup shortcuts, change a Group Policy setting, or uninstall the application that added the startup application.

Disabling Startup Applications by Using the Group Policy Snap-in You can use the Group Policy MMC snap-in to disable applications that run at startup. Before you use this snap-in, you must be familiar with Group Policy concepts, and you must understand how to view registry entries and change local Group Policy settings. For information about Group Policy and about using the Group Policy snap-in, see the Change and Configuration Management Deployment Guide link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. If you are uncertain which startup applications to disable, you can view the registry startup information that appears in certain registry subkeys.

Caution Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your computer, or even require you to reinstall Windows. If you must edit the registry, back it up first.

To disable startup applications by using the Group Policy snap-in 1. In the Run dialog box, type gpedit.msc, and then click OK. 2. Double-click Local Computer Policy to expand either of the following: · Computer Configuration · User Configuration 3. Expand Administrative Templates, expand System, and then click Logon. 4. Double-click the Group Policy setting Run these programs at user logon. 5. For the programs specified in either registry subkey shown in Table 9.15, do one of the following: 錯誤! 尚未定義樣式。 57

· To disable all the programs that are listed in the following subkeys, click Disabled. Disabling this Group Policy deletes either the computer-specific or user-specific Run subkey shown in Table 9.15. · To selectively disable individual programs that are listed in the computer-specific or user-specific Run subkey, click Enabled, and then click Show. In the Show Contents dialog box, select a program to disable, and then click Remove. If you enable the preceding Group Policy settings, the programs listed in the corresponding registry subkeys start automatically when a user logs on to the computer. Table 9.15 Registry Subkeys That Specify Programs That Run at User Logon Group Policy Run List Controlled by the Group Policy setting “Run these programs at user logon” Setting Computer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies \Explorer\Run User HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies \Explorer\Run

You can change additional Group Policy settings that might help you simplify your computer configuration when you are troubleshooting startup problems. Table 9.16 lists the registry subkeys that are controlled by the Group Policy setting Do not process the run once list. If you enable this Group Policy setting, the computer ignores the programs listed in the RunOnce subkeys the next time a user logs on to the computer. Table 9.16 Registry Subkeys That Specify Programs That Run Once at User Logon

Group Policy RunOnce List Managed by the Group Policy setting “ Do not process the run once list” Setting Computer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce User HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce

Table 9.17 lists the registry subkey that is controlled by the Group Policy setting Do not process the legacy run list. The programs listed in this subkey are a customized list of programs that were configured by using the for Windows NT 4.0 or earlier. If you enable this Group Policy setting, Windows ignores the programs listed in this subkey when you start your computer. If you disable or do not configure this Group Policy setting, Windows processes the customized run list that is contained in this registry subkey when you start the computer. Table 9.17 Registry Subkeys That List Customized Legacy Programs Group Policy Customized Run List Controlled by the Group Policy setting Setting “Do not process the legacy run list” Computer HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

58 Chapter 9 Troubleshooting Startup

Group Policy changes do not always take effect immediately. You can use the Gpupdate (Gpupdate.exe) tool to refresh local Group Policy changes to computer and user policies. (Gpupdate replaces the secedit /refreshpolicy command that you used in Windows 2000 to refresh Group Policy settings.) After you refresh the policy, you can use the Group Policy Result (Gpresult.exe) tool to verify that the updated settings are in effect.

Disabling Network-based Startup Applications Additional steps might be required to disable startup applications specified by your organization such as company or division wide Group Policy settings, roaming user profiles, logon scripts, or scheduled system management tasks. To check Group Policy settings, you can use the Resultant Set of Policy (RSoP) MMC snap-in (Rsop.msc) or the Group Policy Result (Gpresult.exe) tool to view the policies currently in effect for your user and computer accounts. The information provided by these tools can assist you with troubleshooting or help you determine the policy settings that might affect your results. You can also prevent Group Policy, logon scripts, roaming user profiles, scheduled tasks, and network-related issues from affecting your troubleshooting by temporarily disabling the network adapter and then logging on by using a local computer account. To disable a network adapter · Do one of the following: · Click Start, highlight Control Panel, highlight Network Connections, right-click the network adapter, and click Disable. · In the Run dialog box, type ncpa.cpl, and then click OK. Right-click the Local Area Connection icon, and then click Disable. If you use roaming user profiles and do not want to disable the network adapter, you can temporarily switch to locally cached user profiles. Making this change preserves local diagnostic changes in case you need to log off and log on, or restart the computer. This change also prevents the from overwriting your diagnostic changes each time you log on to the computer. To switch from roaming user profiles to locally cached user profiles 1. Click Start, highlight Control Panel, and click System. 2. Click the Advanced tab. 3. Under User Profiles, click Settings, and then click the name of your user profile. 4. Click Change Type, and then click Local profile.

Manually Disabling Startup Programs and Processes You can use the registry editor (Regedit.exe) to modify the lists of programs specified in the registry to run when the system starts. For a list of registry subkeys that contain entries for service and startup programs, see “Logon Phase” earlier in this chapter. Changes made by using the registry editor might not take effect until you restart the computer. 錯誤! 尚未定義樣式。 59

For more information about disabling startup programs, see article 314488, “How to Modify the List of Programs that Run When You Start Windows XP.” To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Ending Processes and Applications That Are Not Responding A startup application or a process that stops responding can cause delays or prevent you from logging on to Windows Server 2003. A process is an instance of an application, including the set of system resources that run an application. By using , you can view and selectively end applications and processes, allowing the startup process to continue. When you are in normal or safe mode, you can also use Task Manager to gather system information, such as CPU and memory statistics. To start Task Manager · Press CTRL+ALT+DEL, and then click Task Manager. -or- · Click Start, click Run, type taskmgr, and click OK. As Figure 9.8 shows, you can select the Applications, Processes, Performance, Networking, and Users tabs. The Applications and Processes tabs provide a list of active applications and processes, some of which run in the background and might not show visible signs of activity. You can use the End Process button to end most of the items listed. 60 Chapter 9 Troubleshooting Startup

Figure 9.8 Task Manager

In addition to using Task Manager, you can also view and end processes by using two command- line tools: · Task List (.exe) · Task (Tskill.exe) Task List displays information similar to that displayed by the Task Manager Processes tab. For each process, Task List displays useful information, such as the name of the process, the process identification number (PID), and the amount of memory used. To end a process, run Task Kill by using the process ID or any part of the process name, such as the of the application window, as a command-line parameter. Preserving the Core System Processes When you are deciding which processes to temporarily disable, avoid ending the processes that are listed in Table 9.18. This table lists the core processes that are common to all computers running Windows Server 2003. Knowing the core processes is useful information because the source of an application or service-related problem is most likely due to non-core processes. 錯誤! 尚未定義樣式。 61

Table 9.18 Core System Processes Core Process Process Description Alg.exe Provides support for application level protocol plug-ins and enables network/protocol connectivity. Csrss.exe1 The implementation of the Win32 subsystem. This is an essential subsystem that is active at all times. Csrss.exe is the user-mode portion of the Windows subsystem and it maintains console windows and creates or deletes threads. Csrss stands for client/server run-time subsystem. Dfssvc.exe Integrates disparate file shares into a single, logical namespace and manages these logical volumes distributed across a local or wide area network. Explorer.exe An interactive graphical user interface shell. It provides the familiar Windows and desktop environment. This process can be terminated and restarted if you are experiencing problems with the user interface. Lsass.exe1 The LSA subsystem server component generates the process that authenticates users for the Winlogon service. The LSA also responds to authentication information received from the GINA Msgina.dll component. If authentication is successful, Lsass.exe generates the user's , which starts the initial shell. Other processes that the user initiates inherit this token. Msdtc.exe The Microsoft Distributed Transaction Coordinator is used by some applications and services to communicate between networked computers. Services.exe1 The Service Control Manager can start, stop, and pause system services. Smss.exe1 The Session Manager subsystem, which starts the user session. This process is initiated by the system thread and is responsible for various activities, including starting the Winlogon.exe and Csrss.exe services and setting system variables. Spoolsv.exe1 The spooler service. It manages spooled and fax jobs. Svchost.exe1 A generic process that acts as a host for other processes running from dynamic-link libraries (DLLs). Multiple entries for this process might be present in the Task Manager list. System1 The System “process” hosts most kernel-mode threads. System Idle1 A separate instance of this “process” runs for each processor present, and has the single purpose of accounting for unused processor time. Taskmgr.exe The process that runs Task Manager. Winlogon.exe1 The process that manages user log on and log off. Winmgmt.exe1 A core component of client management. This process starts when the first client application connects, or when management applications request its services. Wmiprvse.exe Similar to Svchost.exe, hosts Windows Management Interface processes.

1You cannot use Task Manager to end this process.1 62 Chapter 9 Troubleshooting Startup

Uninstalling Software You can simplify your system configuration by uninstalling software, which reduces the number of variables to track and helps you to identify problems more quickly. If you find that recently installed software causes system instability or if error messages consistently point to a specific application, you can use Add or Remove Programs in Control Panel to uninstall the software. If you suspect that an application is causing conflicts, uninstalling software can verify your suspicions. You can then reinstall applications after locating Windows Server 2003 updates or other solutions. Other Troubleshooting Startup Procedures If you are unable to resolve your startup problem by using the processes described in the preceding sections, there are two more drastic troubleshooting processes that might allow the system to start successfully: restoring the registry subtrees, and performing a parallel Windows Server 2003 installation. Restoring the registry subtrees might allow your system to start successfully. However, restoring older settings causes your system configuration to lose changes that have been made since the backup. This can cause applications and services installed on the system not to start successfully, even if the operating system does start. Performing a parallel installation can only be done when sufficient free space is available, and might compromise the security of the file system. Repairing System Files If the previously discussed recovery methods do not enable you to start Windows Server 2003, critical system files might have been corrupted. You can start the computer using the Windows Server 2003 CD and select the option to repair system files. This process copies files from the Windows Server 2003 CD and overwrites the files located on your hard disk. While this can enable your computer to successfully start, it overwrites files that have been updated since the system was installed. To repair system files 1. Disconnect your computer from the network to limit the computer’s vulnerability to network attacks after the system files have been replaced. 2. Insert the Windows Server 2003 CD and start your computer. 3. When prompted, press a key to boot from the CD. 4. At the Setup Notification screen, press Enter. 5. At the Welcome to Setup screen, press Enter. 6. At the Windows Licensing Agreement screen, press F8. 7. At the next screen, select your Windows Server 2003 installation and press R. The Windows Server 2003 setup overwrites system files with files from the CD. 錯誤! 尚未定義樣式。 63

8. After the computer restarts, log on as an administrator and re-install all service packs, hotfixes, and driver updates to ensure the system can connect to the network without unnecessary security vulnerabilities. 9. Reconnect the computer to the network. Recovering Data Using a New Installation Infrequently, startup files and critical areas on the hard disk can become corrupted. If you are mainly concerned with salvaging readable data files and using the Backup tool to copy them to backup media or a network location, you can perform a parallel Windows Server 2003 installation. While this might provide access to the file system, it can permanently damage your existing operating system and applications. To perform a parallel installation of Windows Server 2003 1. Restart the computer by using the Windows Server 2003 operating system CD. If prompted, press any key to start the computer from the CD-ROM. If more than one usable disk partition exists, Setup displays a list from which you can select. Setup also allows you to create new partitions or delete existing ones. If installing to the same partition as the existing Windows Server 2003 installation, Setup prompts you for a directory name (for example, Windows.tmp). 2. Accept default options and step through the installation process. When prompted with formatting options, select Leave the current file system intact (no changes) if you are performing a parallel installation Windows Server 2003 to a partition that contains data. Do not select the Format option because this deletes all data on the partition. 3. Complete the parallel installation and start the second Windows Server 2003 installation. You can now access files on other volumes and copy them to a safe location.

Note If your computer supports Remote Installation Services (RIS), you can start a Windows Server 2003 parallel installation by using the network. For more information about deploying Windows installations from a Windows Server 2003 RIS Server or Windows 2000 RIS Server, see Windows Server 2003 Deployment Kit. Recovering from Hardware-Related Startup Problems Although most hardware-related problems do not stop Windows Server 2003 from successfully starting, hardware-related problems can appear before the logo appears in the startup process and symptoms include warning messages, startup failures, and Stop messages. The causes are typically improper device configuration, incorrect driver settings, or hardware malfunction and 64 Chapter 9 Troubleshooting Startup

failure. You can also use the suggestions provided in this chapter for troubleshooting hardware issues not directly related to startup. Checking Your Hardware Always remember to check basic issues first before attempting to remove and replace parts. Refer to your motherboard and device manuals before installing new peripherals for helpful information including safety precautions, firmware configuration, and expansion slot or memory slot locations. Some peripheral manufacturers recommend that you use a bus mastering PCI slot and advise that installing their adapter in a secondary slot might cause it to function improperly.

Check the Physical Setup of Your Computer If you have recently opened the computer case, or the computer has been moved or shipped, connectors might have loosened. You should verify that connections are solid to resolve startup problems. Confirm that the power cords for all devices are firmly plugged in and that the computer power supply meets hardware specifications Computer power supplies are available in different sizes and are typically rated between 200 and 400 watts. Installing too many devices into a computer with an inadequate amount of power can cause reliability problems or even damage the power supply. See the manufacturer's power specifications when installing new devices and verify that your computer can handle the increased electrical load. Verify that you correctly installed and firmly seated all internal adapters Typically, peripherals such as keyboards and video cards must be installed and functioning to complete the startup process without generating error messages. A faulty can cause the POST process to fail on some computers. The exception to this rule is a computer with advanced firmware that allows it to start in the absence of a video adapter. Verify that you correctly attached cables Check that you have firmly seated all cable connectors. Search for damaged or worn cables and replace them as required.

Check the Configuration of Your Hardware If you have recently changed the hardware configuration of your computer, or you are configuring a new computer, you should check the configuration to identify the cause of a startup problem. Verify that you correctly configured any jumpers or dual in-line package switches Jumpers and dual in-line package (DIP) switches are used to close or open electric contacts on circuit boards. For hard disks, jumper settings are especially important because they can adversely affect the startup process if not correctly set. For example, configuring two master ATA disks that are installed on the same channel or assigning duplicate SCSI ID numbers to 錯誤! 尚未定義樣式。 65 devices in the same SCSI chain might cause a Stop error or error messages about hard disk failure. Configure Boot.ini references correctly when a hard disk is added Installing an additional hard disk in a computer can prevent Windows Server 2003 from starting. For example, in a two-disk system with Windows Server 2003 installed on the first partition of the second hard disk, the Boot.ini file might be referencing a path to the operating system. The path might use a multi() format similar to the following: multi(0)disk(0)rdisk(1)partition(1)

Depending on how the new hard disk was installed and configured, you might need to update Boot.ini references so that they point to the correct locations. For example, to restore the ability to start Windows Server 2003, you might need to change the multi() path to point to the correct disk similar to the following: multi(0)disk(0)rdisk(2)partition(1)

Adding new disks might also affect how logical drive letters are assigned to partitions. For more information about diagnosing and resolving issues due to changed logical drive letters, see articles 234048, “How Windows 2000 Assigns, Reserves, and Stores Drive Letters”; 249321, “Unable to Log on if the Boot Partition Drive Letter Has Changed”; and 225025, “Setup Changes Drive Letters After a Partition Is Deleted and Reinstalled.” To find these articles, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Configure ISA devices in Plug and Play mode If ISA devices are present, always configure them in Plug and Play mode if possible. Plug and Play is the default mode for ISA devices that comply with Plug and Play. If necessary, you can switch from Plug and Play to manual mode by using jumpers or software provided by the manufacturer. Use care when configuring ISA devices in manual mode because the operating system depends on the user to select the correct hardware and Device Manager resources. Manually selecting resources is more likely to cause an error because Windows Server 2003 cannot resolve resource conflicts for you. Manually assign interrupt request (IRQ) line numbers for each hardware device Some 32-bit motherboards force IRQ sharing across two or more expansion slots (or integrated devices) regardless of the adapters installed. In some cases, IRQ sharing can cause conflicts after you install new hardware. If you have a non-ACPI computer equipped with firmware that supports changing IRQ assignments, as a troubleshooting method, try manually changing the IRQ assigned to a problem device. Because computers that use the ACPI HAL ignore IRQ assignments stored in firmware, you are only able to manually change IRQ settings for non-ACPI (Standard PC HAL) computers. Some 32-bit computers enable you to toggle ACPI functionality. To disable or re-enable ACPI, you must first change firmware settings, start the Windows Server 2003 setup process, and choose to repair the installation to avoid a Stop 0xA5 ACPI_BIOS_ERROR message or a Stop 0x79 MISMATCHED_HAL message. 66 Chapter 9 Troubleshooting Startup

Verify SCSI configuration If your computer uses or starts from SCSI devices and if you suspect that these devices are causing startup problems, you need to check the items listed in Table 9.19. Table 9.19 Checklist for Troubleshooting SCSI Devices Checklist Description for Each Item All devices are Verify that SCSI devices are correctly terminated. There are specific rules for correctly terminated termination that you must follow to avoid problems with the computer not recognizing a SCSI device. Although these rules can vary slightly from one type of adapter to another, the basic principle is that you must terminate a SCSI chain at both ends. All devices use unique Verify that each device located on a particular SCSI chain has a unique SCSI ID numbers identification number. Duplicate identification numbers can cause intermittent failures or even data corruption. For newer devices, you can use the SCSI Configures Auto Magically (SCAM) standard. The host adapter and all devices must support the SCAM standard. Otherwise, ID numbers must be set manually. The BIOS on the Verify that the SCSI BIOS is enabled for the primary SCSI controller and that startup SCSI controller the BIOS on secondary controllers is disabled. SCSI firmware contains is enabled programming instructions that allow the computer to communicate with SCSI disks before Windows Server 2003 starts. Disabling this feature for all host adapters causes a startup failure. For information about disabling or enabling the BIOS, refer to the documentation provided with your SCSI controller. You are using the Verify that the connecting cables are the correct type and length, and are correct cables compliant with SCSI requirements. Different SCSI standards exist, each with specific cabling requirements. Consult the product documentation for more information. The firmware settings Verify that host adapter BIOS settings for each SCSI device are set correctly. for the host SCSI (The BIOS for the SCSI adapter is separate from the computer motherboard adapter match device firmware.) For each SCSI device, you can specify settings, such as Sync capabilities Negotiation, Maximum Transfer Rate, and Send Start Command, that can affect performance and compatibility. Certain SCSI devices might not function correctly if settings are set beyond the capabilities of the hardware. Consult the documentation for your SCSI adapter and device before changing default settings. SCSI adapters are Verify that you installed the host adapter in the correct motherboard slot. The installed in a master documentation for some PCI SCSI adapters recommends using busmaster PCI PCI slot slots to avoid problems on 32-bit computers. Refer to the manufacturer's documentation for your motherboard or computer to locate these busmaster PCI slots. If your SCSI adapter is installed in a non-busmaster PCI slot, move it to a master slot to see if the change improves operation and stability.

錯誤! 尚未定義樣式。 67

Note As a precaution, always shut down the computer and remove the power connector before troubleshooting hardware. Never attempt to install or remove internal devices if you are unfamiliar with hardware. Some computers do have internal "hot swap" features, or the ability to remove and insert devices without shutting down the computer. Check your computer documentation for more information.

For more information about the SCSI standard, see the SCSI link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. For more information about SCSI termination, see articles 92765, "Terminating a SCSI Device," and 154690, "How to Troubleshoot Event 9 and Event 11 Error Messages." To find these articles, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources.

Verify That System Firmware and Peripheral Firmware Are Up-to-Date You can sometimes trace instability and compatibility problems to outdated ACPI firmware. If your computer has firmware that is known to cause problems and an update is not yet available, technical support might advise you to disable ACPI and reinstall the operating system for stable operation. Although the option to disable ACPI is an option found on some 32-bit firmware, it is recommended that you leave this setting at the default value (typically enabled). To correctly disable or re-enable ACPI, you must first change firmware settings and then re- install Windows Server 2003 to avoid a Stop 0xA5 ACPI_BIOS_ERROR message or a Stop 0x79 MISMATCHED HAL message. Because of the numerous registry and system file changes required, you must rerun Setup (an upgrade installation does not work). If Setup does not respond when you are installing the operating system, the cause might be the firmware for your CD-ROM drives. Try upgrading the CD-ROM firmware to the latest version.

Test Your Hardware by Running Diagnostic Tools If the problem occurs after the POST routine finishes but before Windows Server 2003 fully loads, run any diagnostic software that the manufacturer of the hardware adapter provides. This software typically includes self-test programs that allow you to quickly verify proper operation of a device and might enable you to obtain additional information about the device, such as model number, hardware, and device firmware version. Simplifying Your Hardware Configuration Hardware problems can occur when you have both newer and older devices installed on your computer. If you cannot resolve problems by using safe mode and other options, such as rolling back drivers, temporarily disable or remove ISA devices that do not support Plug and Play. If you can start Windows Server 2003 with these older devices removed, this is an indication that 68 Chapter 9 Troubleshooting Startup

these devices are causing resource conflicts and you need to manually reconfigure the resources assigned to them. For more information about rolling back drivers, see “Rolling Back Drivers” earlier in this chapter. While you are diagnosing startup problems related to hardware, it is recommended that you simplify your configuration. Simplifying your computer configuration might enable you to start Windows Server 2003. You can then gradually increase the computer’s hardware configuration complexity until you reproduce the problem, which allows you to diagnose and resolve the problem. Avoid troubleshooting when you have several adapters and external peripherals installed. Starting with external and ISA devices, disable or remove hardware devices one at time until you are able to start your computer. Reinstall devices by following the manufacturer's instructions, verifying that each is functioning properly before checking the next device. For example, installing a PCI network adapter and a SCSI adapter at the same time can complicate troubleshooting because either adapter might cause a problem. ISA devices cause a large share of startup problems related to hardware because the PCI bus does not have a reliable method for determining ISA resource settings. Device conflicts might occur due to miscommunication between the two bus types. To avoid ISA and PCI conflicts, try temporarily removing ISA devices. After you install a new PCI device, you can use Device Manager to determine which system resources are available to ISA devices. Then reconfigure the ISA devices that do not support Plug and Play so that you eliminate any conflicts. If the problems continue after you reinstall ISA devices and you cannot resolve them with assistance from technical support, consider upgrading to newer hardware. Simplifying your computer configuration also helps when problems prevent you from installing Windows Server 2003. For more information about simplifying your hardware configuration to resolve setup problems, see article 224826, “Troubleshooting Text-Mode Setup Problems on ACPI Computers.” To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Checking the Hardware Configuration from Windows Installing new hardware or updating drivers can create conflicts, causing devices to become inaccessible. You can isolate and troubleshoot these problems using System Information and Device Manager. Use the System Information tool to check for problem devices and hardware conflicts. Then, use Device Manager to review resources used these devices to manually identify conflicts. To use the System Information tool to view problem devices 1. In the Run dialog box, type msinfo32, and then click OK. 2. Double-click Components, and then click Problem Devices. 3. Examine the Error Code column for information relating to the source of the problem. To use the System Information tool to view shared and conflicting resources 1. In the Run dialog box, type msinfo32, and then click OK. 錯誤! 尚未定義樣式。 69

2. Double-click Hardware Resources, and then click Conflicts/Sharing. 3. Examine the Resource and Device columns for devices that are incorrectly assigned overlapping resources. Remove or disable one of the devices, or use Device Manager to change the resources assigned to the devices.

Note The Windows NT 4.0 tool Windows Diagnostics (WInmsd.exe) has been replaced by System Information, which provides similar information. To start System Information at the command prompt, type winmsd or msinfo32.

To use Device Manager (Devmgmt.msc) to view or change system resource usage information 1. In the Run dialog box, type devmgmt.msc, and then click OK. 2. Double-click a device to open the properties dialog. 3. Select the Resources tab to view the resources used by that device. 4. Deselect the Use automatic settings check box. 5. Click Change Setting, and specify the resources assigned to the device. Diagnosing Disk-related Problems Disk-related problems typically occur before Windows Server 2003 starts or shortly afterwards. Table 9.20 provides a list of symptoms, possible causes, and sources of information that you can refer to. Table 9.20 Diagnosing Disk-related Startup Problems Symptom, Message or Problem Possible Cause The POST routine displays messages similar The system self-test routines halt due to to the following: improperly installed devices. Hard disk error. Hard disk absent/failed. The system displays MBR-related or boot The MBR or partition boot sector is sector-related messages similar to the corrupt due to problems with hardware or following: viruses. Missing operating system. Insert a system diskette and restart the system. The system displays messages about the The partition table is invalid due to partition table similar to the following: incorrect configuration of newly added Invalid partition table. disks. A disk-read error occurred. You cannot access Windows Server 2003 after The Windows Server 2003 boot sector is overwritten by another operating system's 70 Chapter 9 Troubleshooting Startup

installing another operating system. setup program. · In an x-86-based system, one of the Required startup files are missing or following files are missing or damaged, or entries in the Boot.ini are damaged: pointing to the wrong partition. · Boot.ini · Ntoskrnl.exe · Ntdetect.com The Windows loader or EFI boot manager Ntldr or IA64ldr.efi is missing or displays messages similar to the following: corrupted. Couldn't find loader. Please insert another disk. CMOS or NVRAM disk configuration settings The CMOS memory or NVRAM is faulty, are not retained. data is corrupted, or the battery that retains these settings needs replacing. For more information, follow the manufacturer's instructions for replacing or recharging the system battery. For Itanium-based computers, refer to your computer’s documentation for how to start the Nvrboot.efi tool.

Infrequently, disk-related issues, such as corrupted files, file system problems, or insufficient free space might cause Stop messages to appear. Resolving Shutdown Problems At first glance, shutdown and startup problems might appear to be unrelated, but they can stem from the same causes. Components that cause startup problems might also interfere with the shutdown process. System shutdown is an orderly process and involves the following: · Winlogon sends specific messages to devices, system services, and applications, notifying them that you are shutting down the computer. · Winlogon waits for applications to close open files and allows them a certain amount of time to complete clean-up tasks, such as writing unsaved data to disk. Typically, every enabled device, system service, and application replies to the shutdown message request, indicating to Winlogon that shutdown can safely occur. Shutdown problems can be caused by: · Device drivers or applications that do not respond to shutdown messages. 錯誤! 尚未定義樣式。 71

· System services that do not respond to shutdown messages or that send busy replies to the system. Busy replies might be due to a deadlock condition where two or more processes attempt to access the same resource. Because each process has a request for the other's resource, neither process can finish. · Faulty or incompatible drivers, services, or applications. · Hardware changes that cause device conflicts. · Firmware incompatibility or incorrectly configured firmware settings. To temporarily resolve problems that prevent shutdown, use Task Manager to close the unresponsive application or service. To stop an unresponsive application or service 1. Start Task Manager by pressing CTRL+SHIFT+ESC. 2. Click the Applications tab. The Applications tab provides status information and displays each task as either Running or Not Responding. 3. Click the item labeled Not Responding, and then click End Task. For more information about troubleshooting shutdown problems, see article 315409, “How to Troubleshoot Shutdown Problems in Windows 2000.” To find this article, see the Microsoft Knowledge Base link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. Additional Resources These resources contain additional information related to this chapter. Related Information · The Hardware Compatibility List link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. · The ACPI link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. · The Extensible Firmware Interface link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. · The Debugging Tools link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. · The Driver Development Kits link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. · The Microsoft Product Support Services link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. · The SCSI link on the Web Resources page at http://www.microsoft.com/windows/reskits/webresources. 72 Chapter 9 Troubleshooting Startup