Login/Register
What's the order of Windows startup?
Asked Answered
windowsauthenticationstartuprunonce
E

1

7

I'm curious to know the order of Windows startup during a user login. Does anyone know? Basically, my application was being invoked by login script that a GPO calls. While 3rd party EXE was being invoked, it was failing to start.

Then, through trial and error, I found that HKCU...\RunOnce keys execute after the login script. Same result, the EXE was being called, but failing to start.

What worked: updated the login script create a shortcut in the user's Startup folder. Now the EXE starts up as expected.

I know that AutoRuns can tell me all the locations where startup items can be placed, does anyone know the execution order as a whole? I was able to find that Run and RunOnce keys get called asynchronously. I can keep testing each startup item that AutoRuns states, but this could take days.

I'm mostly interested in Windows 2003 Server login startup flow, but I would suspect its very similar to other Windows flavors in use today.

Eighth answered 3/12, 2012 at 15:5 Comment(3)
technet.microsoft.com/en-us/library/bb457123.aspx Look at the "Logon Phase" section.Verily
Have a look into "Windows Internals" by Mark E. Russinovich and David A. Solomon. They explain this in great detail.Pagandom
Yes, I have one of the latest editions, but I didn't find the page where it listed the order of execution (and I was not skimming over the chapters). Maybe I missed it, would you recall the chapter?Eighth
T
14

Source: Understanding the Startup Process - Windows 7 Tutorial

The normal startup sequence for Windows 7 is:

  1. Power-on self test (POST) phase
  2. Initial startup phase
  3. Windows Boot Manager phase
  4. Windows Boot Loader phase
  5. Kernel loading phase
  6. Logon phase

a high-level overview of the different paths startup can take

Kernel Loading Phase The Windows Boot Loader is responsible for loading the Windows kernel (Ntoskrnl.exe) and the HAL into memory. Together, the kernel and the HAL initialize a group of software features that are called the Windows executive. The Windows executive processes the configuration information stored in the registry in HKLM\SYSTEM\CurrentControlSet and starts services and drivers. The following sections provide more detail about the kernel loading phase.

Logon Phase

The Windows subsystem starts Winlogon.exe, a system service that enables you to log on and log off. Winlogon.exe then does the following:

  • Starts the Services subsystem (Services.exe), also known as the SCM. The SCM initializes services that the registry entry Start designates as Autoload in the registry subkey HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Servicename.
  • Starts the Local Security Authority (LSA) process (Lsass.exe).
  • Parses the Ctrl+Alt+Delete key combination at the Begin Logon prompt (if the computer is part of an AD DS domain).

The logon user interface (LogonUI) feature and the credential provider (which can be the standard credential provider or a third-party credential provider) collect the user name and password (or other credentials) and pass this information securely to the LSA for authentication. If the user supplied valid credentials, access is granted by using either the default Kerberos V 5 authentication protocol or Windows NT LAN Manager (NTLM).

Winlogon initializes security and authentication features while PnP initializes auto-load services and drivers. After the user logs on, the control set referenced by the registry entry LastKnownGood (located in HKLM\SYSTEM\Select) is updated with the contents in the CurrentControlSet subkey. By default, Winlogon then starts Userinit.exe and the Windows Explorer shell. Userinit may then start other processes, including:

  • Group Policy settings take effect Group Policy settings that apply to the user and computer take effect.

  • Startup programs run When not overridden by Group Policy settings, Windows starts logon scripts, startup programs, and services referenced in the following registry subkeys and file system folders:

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
SystemDrive\Documents and Settings\All Users\Start Menu\Programs\Startup
SystemDrive\Documents and Settings\username\Start Menu\Programs\Startup

Several applications might be configured to start by default after you install Windows, including Windows Defender. Computer manufacturers or IT departments might configure other startup applications.

Windows startup is not complete until a user successfully logs on to the computer. If startup fails during the logon phase, you have a problem with a service or application configured to start automatically.

If you want further information check the source link.

Tantra answered 3/12, 2012 at 15:58 Comment(8)
Took me a while to get through this, just as interesting as the Windows Internals book I have. Unfortunately, I'm unable to find the step where it says something like "Step n: Execute user's Startup folder files". As before, I did notice RunOnce ran before the user's Startup folder. Apologies if I missed it from your answer.Eighth
Although credited, this is 100% copy/paste from the given source, and should not by posted as an answer unless explicitly granted by the copyright owner imo. I'd rather post this as a comment with a link to the source.Lautrec
From sourcedaddy.com/legal: (...)You agree not to modify, reproduce, transmit, distribute, discriminate, sell, publish or broadcast any such material or content without the written authorization of SourceDaddy or the appropriate affiliate or licensor.Lautrec
@SteinarLima Yeah, we see that almost everywhere that is quoted as copy-pasta. It's here, it's got two votes, it answers the question and it's the only answer. I just formatted it to look better (you should see how crappy the original answer was). (btw, avoid non-code content in code blocks, even in comments).Letha
@SteinarLima You'll be surprised to know that SourceDaddy themselves copied this from Microsoft TechNet.Letha
@Letha Interesting that SourceDaddy have copied the material themselves, but it doesn't change the fact that this answer does not obey the SO rules, and thus this answer should be deleted.Lautrec
@Letha Just click the edited xx mins ago to see the revision history of an answer/question. And comments only support bold, italic, code and links markdown, so I'll continue to use code markdown for quotes in comments if that is OK with you.Lautrec
I have a question, by putting app's shortcut into startup folder, will it auto run after reboot without login to windows?Veronica

© 2022 - 2024 — McMap. All rights reserved.