The NT Boot Process

When you start a computer running Windows NT the computer executes a number of steps in turn in order to actually get you to your Windows NT desktop. On this page I am going to go through the steps involved in this process so as to give you information on what some of the system files are for. This will also give you an indication of what point in the boot process that your NT services start to run.

Initial Phase

When you first switch on your computer the computer usually executes a power on self test (POST). This involves reading the BIOS to find out the computer configuration and the date and time, testing the memory, and deciding which device attached to the computer that it should try to boot the operating system from.

If your computer decides to boot from a hard drive then it will read the Master Boot Record (MBR) on the first hard drive attached to the system in order to determine the active partition. The Partition Boot Sector (PBS) of the active partition will then be read to find out how to boot the operating system.

In the case of windows NT the PBS instructs the computer to load and execute the NT loader (NTLDR which is found in the root directory of the active partition).

Boot Loader

Windows NT itself starts to load when NTLDR is executed. This program looks at BOOT.INI to generate the boot menu allowing you to select which operating system you want to run. Other files such as BOOTSEC.DOS and NTBOOTDD.SYS are used to provide access to non NT operating systems and SCSI hard drives.

NTLDR switches the processor from real mode to protected mode and then runs NTDETECT.COM to detect all of the system hardware and build the appropriate registry entries.

You will then be given the option of continuing with the current hardware profile or pressing the spacebar to load the profile from the last successful NT boot.

Finally NTLDR will load the NT Kernel (NTOSKRNL.EXE) and pass it a list of device drivers that have appropriate registry entries indicating that they should be loaded at startup.


At this point the screen turns blue and the various device drivers and some services get loaded. A dot appears on the screen as each driver/service is loaded.

Once all of the device drivers are loaded the kernel executes WINLOGON.EXE to start the graphical environment.


You can now press CTRL-ALT-DEL to bring up the logon screen and logon to Windows NT.

The remaining services specified to be loaded at startup time get loaded at this time.

The boot process is now considered to be successful and NT updates the last known good hardware profile to match the current profile.


This article written by Stephen Chapman, Felgall Pty Ltd.

