Plug and Play
The PnP manager initially knows of just one virtual device on your PC, and it's named 'root'. This is used by the Hardware Abstraction Layer to detect your main bus and everything directly connected to the motherboard. Any discovered hardware returns a vendor ID representing the manufacturer and a product ID that tells Windows what it is.
The PnP Manager then looks in the Registry under HKLM\System\CurrentControlSet\Enum to find a key where the hardware type, vendor and product ID match the device. The key should contain a value called 'Driver' which points to a particular Registry key under HKLM\ SYSTEM\ControlSet001\Control\ Class and a value called 'infpath' that points to the driver INF file in \Windows\Inf.
This finally tells Windows where to load the driver. Alternatively, it'll discover that you don't have a driver installed for this device at all, in which case you'll be prompted to add it later, once Explorer has started.
As the process goes on, Windows will find different buses (PCI, USB and so on). It'll load their drivers, which will go on to discover everything attached to them, and this continues until all your hardware has been detected and the appropriate drivers loaded.
Hardware problems, driver faults or conflicts here can result in a very slow boot or your PC hanging altogether. If your PC locks up, but can boot in Safe Mode then that's a good indication of driver issues. Launch the Event Viewer ('eventvwr.msc') and look for recent errors that might offer clues. The Windows Vista Event Viewer also records details of performance problems during the boot process.
You can also ask Windows to record the drivers loaded during boot (run msconfig.exe, select the Boot tab, enable a Boot Log, restart and check '\Windows\Ntbtlog.txt'). Remove or re-install hardware you've added recently and update other drivers, in particular for your motherboard.
Eventually, the kernel continues the boot process by launching Session Manager ('smss.exe'). This use the Registry keys at or below HKLM\ System\CurrentControlSet\Session Manager to call functions. It'll run any programs defined at the BootExecute Registry Key, for instance. Normally this just launches 'autochk.exe' (the boot version of 'chkdsk.exe'), but other programs – and some viruses – will add themselves to the list.
Session Manager is also responsible for delayed file rename or delete operations. If an uninstall program can't remove a file because it's in use, for example, it'll add its details to its 'FileRenameOperations' key. Session Manager will follow its instructions at the next boot.
Session Manager reads the list of Known DLLs from the 'KnownDLLs' Registry key. It creates your paging files according to the Registry settings at Memory Management\Paging Files, loads the remaining Registry files from the \Windows\ System32\Config folder and creates the system environment variables you'll find at HKLM\System\ CurrentControlSet\Session Manager\Environment.
Next, Session Manager loads 'win32k.sys', a component that provides core Windows GUI services. This switches your display from the boot driver's basic VGA resolution to whatever you've got set up, so when this happens you'll know that the Session Manager is almost finished.
The most likely problem to occur here is that of a missing Registry. You can replace it using the same techniques that we used earlier in the Boot Drivers section.
Blue screen crashes naming win32k.sys are also common, but this file is rarely the culprit. Enter the stop code (it'll be something like '0x0000008e') and 'Win32k. sys' at www.support.microsoft.com for more advice.