The Windows NT startup process is the process by which Microsoft's Windows NT, Windows 2000, Windows XP and Windows Server 2003 operating systems initialize.

Kernel loading phase

The initialization of the kernel subsystem and the Windows Executive subsystems is done in two phases.

During the first phase, basic internal memory structures are created, and each CPU's interrupt controller is initialized. The memory manager is initialized, creating areas for the file system cache, paged and non-paged pools of memory. The Object Manager,initial security token for assignment to the first process on the system, and the Process Manager itself. The System idle process as well as the System process are created at this point.

The second phase involves initializing the device drivers which were identified by NTLDR as being system drivers.

Through the process of loading device drivers, a "progress bar" is visible at the bottom of the display on Windows 2000 systems; in Windows XP and Windows Server 2003, this was replaced by an animated bar which does not represent actual progress. Prior to Windows XP, this part of the boot process took significantly longer; this is because the drivers would be initialized one at a time. On Windows XP and Server 2003, the drivers are all initialized asynchronously.

Session Manager

Once all the Boot and System drivers have been loaded, the kernel (system thread) starts the Session Manager Subsystem (smss.exe).

Before any files are opened, Autochk is started by smss.exe. Autochk mounts all drives and checks them one at a time whether they were not shut down cleanly before. In that case it will automatically run chkdsk, however just before the user can abort this process by pressing any key within 10 seconds (this was implemented in Windows NT 4.0 Service Pack 4, in earlier versions you could not skip chkdsk). Since Windows 2000, XP and 2003 show no text screen at that point (unlike NT, which still shows the blue text screen), they will show a different background picture holding a mini-text-screen in the center of the screen and show the progress of chkdsk there.

At boot time, the Session Manager Subsystem :

* Creates environment variables (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment)
* Starts the kernel-mode side of the Win32 subsystem (win32k.sys). This allows Windows to switch into graphical mode as there is now enough infrastructure in place.
* Starts the user-mode side of the Win32 subsystem, the Client/Server Runtime Server Subsystem (csrss.exe). This makes Win32 available to user-mode applications.
* Creates virtual memory paging files (HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management)
* Any rename operations queued up are performed. This allows previously in-use files (e.g. drivers) to be replaced as part of a reboot.
* Starts the Windows Logon Manager (winlogon.exe). Winlogon is responsible for handling interactive logons to a Windows system (local or remote). The Graphical Identification And Authentication (GINA) library is loaded inside the Winlogon process, and provides support for logging in as a local or Windows domain user.

The Session Manager stores its configuration at HKLM\SYSTEM\CurrentControlSet\Control\Session Manager. The exact operation of most of these items is based on the configuration set in the registry.

Winlogon

Winlogon is responsible for responding to the secure attention key (called secure attention sequence in Windows and it is the Control-Alt-Delete key combination), loading the user profile on logon, and optionally locking the computer when a screensaver is running. In Windows Vista and later operating systems, Winlogon's roles and responsibilities have changed significantly.

1. Winlogon calls GINA
1. GINA begin logon prompt is displayed (image)
2. User presses SAS (Control-Alt-Delete)
3. GINA logon dialog is displayed
4. User inputs credentials (Username, Domain and Password)
5. GINA passes credentials back to Winlogon
2. Winlogon passes credentials to LSA
* LSA determines which account databases is to be used
o Local SAM
o Domain SAM
o Active Directory
3. Winlogon (loaded by SMSS)
* At this point, Winlogon starts the Service Control Manager (SCM), which in turn will start all the Windows services that are set to "Auto-Start". The Local Security Authority Subsystem Service (lsass.exe) is also started, which enforces the local security policy (checking user permissions, creating audit trails, doling out security tokens, etc.).

* userinit.exe

Logon phase

After a user has successfully logged in to the machine, Winlogon does the following:

* Updates the Control Sets; the LastKnownGood control set is updated to reflect the current control set.
* User and Computer Group Policy settings are applied.
* Startup programs are run from the following locations:
1. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
2. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run
3. HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
4. HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run
5. HKCU\Software\Microsoft\Windows\CurrentVersion\Run
6. HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
7. All Users ProfilePath\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows)
8. Current User ProfilePath\Start Menu\Programs\Startup\ (please note that this path is localized on non-English versions of Windows)